How to use Netstat commands

Written by stephen byron cooper Google
  • Share
  • Tweet
  • Share
  • Pin
  • Email
How to use Netstat commands
Netstat shows the computers you are currently connected to. (Hemera Technologies/ Images)

Netstat is a single command, but it can be modified by options to produce different results. The command is not operating system-specific and so is available on Windows, Mac, Linux and Unix. Netstat reports on the current connections made on the computer through ports to remote computers over a network. The utility examines TCP/IP connections. For the home user, that means internet connections. TCP/IP connections can be made through a range of standard procedures, called “protocols.” The main two sets of protocols in TCP/IP are the Transmission Control Protocol and the User Datagram Protocol. Each has its own range of “ports.” This does not refer to the plug sockets on the computer, but a logical address used in network programming.

Skill level:
Moderately Easy

Things you need

  • Internet connection

Show MoreHide


  1. 1

    Type netstat at the command prompt. The utility will return a table of data. The columns in the table are “Proto,” “Local Address,” Foreign Address” and “State.” Each row in the table represents a connection to your computer over the network (or Internet) that is either active or waiting.

  2. 2

    Examine the “Proto” column. Most rows will have the value “TCP” which is a connection-oriented transfer protocol. If you have a multimedia or Internet telephony application running on your computer, you will see UDP connections. Netstat by itself will only show TCP connections.

  3. 3

    Read through the “Local Address” values in each row. This has three elements: The recipient on the computer, the address of your computer and the port number. The computer’s address may appear either as an IP address or in hexadecimal format. The port number appears after a colon at the end of the address.

  4. 4

    Scan down the “Foreign Address” column to see the addresses of the computers you are currently connected to. This address may be in IP format, a Web domain, or a hexadecimal number. The prot number is not always shown in this column. Instead, the space used for the port number after the colon at the end of the address could read “http,” or “https.”

  5. 5

    Check the state of the connection. There are ten options: “ESTABLISHED,” “TIME_WAIT,” “CLOSE_WAIT,” “CLOSED,” “FIN_WAIT_1,” “FIN_WAIT_2,” “LAST_ACK,” “LISTEN,” “SYN_RECEIVED” and “SYN_SEND.” Most of the entries will either say “ESTABLISHED” or “LISTEN.” A listening connection indicates a daemon which is a program on your computer that runs constantly waiting for incoming messages.

  6. 6

    Modify the command with “switches.” These are options that follow the command and start with a minus sign (“-“). Adding “-a” to the end of the command will show all active TCP and UDP connections. The “-n” switch shows TCP connections with the addresses expressed as IP addresses only. Each operating system has a different list of switches. To get a full list for your system type netstat ?.

Don't Miss

  • All types
  • Articles
  • Slideshows
  • Videos
  • Most relevant
  • Most popular
  • Most recent

No articles available

No slideshows available

No videos available

By using the site, you consent to the use of cookies. For more information, please see our Cookie policy.