Page Last Updated: 09/02/2010
NETSTAT - See what your computer is up to with the network

Netstat is a built in command line tool that provides you with information about TCP connections, network statistics and IP routing table. As it is built in, there is nothing to download. It is in all recent versions of Windows. Under Windows Vista and Windows 7 you may have to run some commands in an elevated command prompt.

Where to Start

To begin with, start with displaying all connections

netstat -a

That will give you a long list.

However that doesn't tell you much about what is going on, unless you know the ports that are in use.

By adding the option -b you can get more information

netstat -a -b or netstat -ab

You can also list the running processes using the PID using the -o switch.

netstat -ao

You can then compare the list with the tasks shown in Task Manager.

With just the -o switch (netstat -o) then you will see just the active connections.

Specific Port Information

If you are looking at the information on pure number form (so IP address and port number) use the -n switch

netstat -an

However this can provide you with more information than you need. Therefore if you are looking for specific port then you can filter that information.

For example to find a connection to web sites or other services using port 80 use this command:

netstat -an | findstr :80

Will show all connections on port 80

| is pipe, which is usually found by pressing SHIFT and then \ on the keyboard. It looks like a broken horizontal line on the keyboard.

Repeating the results

If you want to repeat the results at frequent intervals, then you can just place a number at the end, which is the repeat time in seconds.

netstat -an 10

This will show the output of netstat -an every 10 seconds.

To combine the repeat with a filter, put the interval time before the filter:

netstat -an 10 | findstr :80

There is no break of any description between the results, it just appears in a single table, with no time stamp.

Recording the Results

Of course the usual technique to drop the results in to a text file also apply

netstat -an >c:\netstat.txt

Netstat Help Text

netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

-a       Displays all connections and listening ports.

-b       Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

-e            Displays Ethernet statistics. This may be combined with the -s option.

-f             Displays Fully Qualified Domain Names (FQDN) for foreign addresses.

-n            Displays addresses and port numbers in numerical form.

-o            Displays the owning process ID associated with each connection.

-p proto  Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.

-r            Displays the routing table.

-s            Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.

-t            Displays the current connection offload state.

interval    Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

About this site

Most of this information originally started life as a page on amset.info, our community assistance site. However that site is targeted at Microsoft Exchange server, as Sembee Ltd. is a Microsoft Exchange consultancy. Therefore it was moved to its own domain in early 2010. Traffic from amset.info is directed here.

Other sites that are owned and operated by Sembee Ltd include kbsearch.info, certificatesforexchange.com, loginscripts.info, office-recovery.info, wuauclt.info, blog.sembee.co.uk, exbpa.com and amset.info.