What is netstat?

Netstat — derived from the words network and statistics — is a program that’s controlled via commands issued in the command line. It delivers basic statistics on all network activities and informs users on which portsand addresses the corresponding connections (TCP, UDP) are running and which ports are open for tasks. In 1983, netstat was first implemented into the Unix derivative BSD (Berkley Software Distribution), whose version 4.2 supported the first internet protocol family, TCP/IP. netstat has been integrated into Linux since its debut in 1991 and has been present in Windows since the appearance of version 3.11 (1993), which could also communicate via TCP/IP with the help of extensions. While the parameters of netstat’s commands (as well as their outputs) differ from system to system, when it comes to their functions, the various implementations are very similar.

Essentially, netstat is a command line program and for this reason doesn’t feature a graphical user interface. Programs like TCPView, which was developed by the Microsoft division Windows Sysinternals, makes it possible for statistics to be displayed graphically.

How do you use netstat?

In Windows operating systems, you can use the netstat services via the command line (cmd.exe). You can find them in the start menu under "All Programs" -> "Accessories" -> "Command Prompt". Alternatively, you can search directly for "Command Prompt" in the start menu’s search field or start the command line via "Run" (Windows key + press "R" and enter "cmd"). The syntax of the netstat commands follows the following pattern:

netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p Protocol] [-r] [-s] [-t] [-x] [-y] [Interval]

The combination of the individual options works by stringing the individual parameters together, each separated by a space:

netstat [-OPTION1] [-OPTION2] [-OPTION3] …

The parameters are typically preceded by a hyphen (-), but if you want to combine several options, you only have to place this hyphen in front of the first element. Instead of the variant shown above, you can also link different parameters as follows:

netstat [-OPTION1][OPTION2][OPTION3] …

In this case, it is important that you do not leave any spaces between the individual netstat options.

netstat commands for Windows






Standard listing of all active connections


netstat -a

Displays all active ports


netstat -b

Displays the executable file of a connection or listening port (requires administrator rights)


netstat -e

Shows statistics about your network connection (received and sent data packets, etc.)


netstat -f

Displays the fully qualified domain name (FQDN) of remote addresses


netstat -i

Brings up the netstat overview menu


netstat -n

Numerical display of addresses and port numbers


netstat -o

Displays the process identifier (PID) associated with each displayed connection

-p Protokoll

netstat -p TCP

Displays the connections for the specified protocol, in this case TCP  (also possible: UDP, TCPv6, or UDPv6)


netstat -q

Lists all connections, all listening TCP ports, and all open TCP ports that are not listening


netstat -r

Displays the IP routing table


netstat -s

Retrieves statistics about the important network protocols such as TCP, IP, or UDP


netstat -t

Shows the download status (TCP download to relieve the main processor) of active connections


netstat -x

Informs about all connections, listeners, and shared endpoints for NetworkDirect


netstat -y

Displays which connection templates were used for the active TCP connections


netstat -p 10

Displays the respective statistics again after a selected number of seconds (here 10); can be combined as required (here with –p), [CTRL] + [C] ends the interval display

Netstat examples

In order to make the use of the listed netstat commands for Windows easier to understand, we will show you some example commands:

List of all connections for the IPv4 protocol

If you don't want to retrieve all active connections, but only all active IPv4 connections, you can do this using the netstat command:

netstat -p IP

Accessing statistics using the ICMPv6 protocol

If you only want to obtain statistics on the ICMPv6 protocol, enter the following command in the command line:

netstat -s -p icmpv6

The output will then look something like this:

Repetitive query of interface statistics (every 20 seconds)

Use the following netstat command for a repeated query of the interface statistics, which returns new values every 20 seconds on received and sent data packets:

netstat -e 20

Display of all open ports and active connections (numeric and process ID included)

One of the most popular netstat commands is undoubtedly to query all open ports and active connections (including process ID) in numeric form:

netstat -ano

Why using netstat makes sense

When dealing with excessive traffic and malicious software it’s advantageous to be informed about the inbound and outbound connections to your computer. These are created via their respective network addresses that indicate which ports were preemptively opened for exchanging data. Once a port is opened, it receives the status “LISTEN” and waits for connection attempts. One problem of having these ports remain open is that your system is then left vulnerable to malware. What’s more, there’s also a chance that Trojan viruses already found in your system may install a backdoor, opening up a corresponding port in the process. For this reason, you should always regularly check the ports opened by your system, a task for which netstat is particularly well suited. Thanks to the fact that you’ll be able to find the diagnosis tool on virtually every system, whether it be Unix, Linux, Windows, or Mac, this program offers a unified solution for all computers and servers.

Possible infections can be caught based on unknown opened ports or unknown IP addresses. In order to obtain an informative result, all other programs, such as your internet browser, should be turned off. This is due to the fact that these are often connected with computers that possess unknown IP addresses. Thanks to the detailed statistics, users also receive information on the packets that have been transferred since the last system start as well as notices of any errors that have occurred. The routing table, which delivers information on the paths data packets takes through the net, can be displayed with the help of the system-specific netstat command.

We’re all in this together. At IONOS we are
Coronavirus is a challenge we need to face together.
We've created special offers on key products to help
your business keep going.
3 months free
Online Shop
Be where your customers are with your own online store.