Jump to content
  • How to use 'netstat' command on Windows 11 and 10


    Karlston

    • 1.1k views
    • 8 minutes
     Share


    • 1.1k views
    • 8 minutes

    You can use the netstat command to monitor and troubleshoot many network problems, and in this guide, I'll show you how.

    On Windows 11, the Network Statistics (netstat) tool has been around for a long time (including on Windows 10 and older versions), and it's a command-line utility you can use in Command Prompt to display statistics for all network connections. It allows you to understand open and connected ports to monitor and troubleshoot networking problems for systems or apps.

     

    The tool helps you to list active network (incoming and outgoing) connections and listening ports. You can view network adapter statistics and statistics for protocols (such as IPv4 and IPv6). You can even display the current routing table and much more.

    In this how-to guide, I'll show you the steps to use the netstat command to examine connections to discover open and connected network ports on Windows 11 (and 10).

    How to use netstat on Windows 11 and 10

    In the client version of Windows, you can get started with the Network Statistics tool with a simple command, but then you have a lot of options to view different network activities, and here's how.

    Netstats basics

    To get started with netstat, use these steps:

     

    1. Open Start.
    2. Search for Command Prompt, right-click the top result, and select the Run as administrator option.
    3. Type the following command to show all active TCP connections and press Enter: netstat

     

    WkJoQ8oPp6zriSjmGwJmkN-970-80.jpg

    (Image credit: Future)

     

    1. (Optional) Type the following command to display active connections showing numeric IP address and port number instead of trying to determine the names and press Enter: netstat -n

     

    HgeBgPvLjTZJNn5BUZ4Gtb-970-80.jpg

    (Image credit: Future)

     

    1. (Optional) Type the following command to refresh the information at a specific interval and press Enter: netstat -n INTERVAL

     

    In the command, replace "INTERVAL" with the number (in seconds) to re-display the information. This example refreshes the command in question every five seconds: netstat -n 5

     

    • Quick note: When using the interval parameter, you can terminate the command using the "Ctrl + C" keyboard shortcut.

     

    wiKmFaseFdZxGoyePTV86k-970-80.jpg

    (Image credit: Future)

     

    Once you execute the command, it'll return a list of all active connections in four columns, including:

     

    • Proto: Shows the connection protocol (TCP or UDP).
    • Local Address: Shows the computer's IP address followed by a semicolon with the port number of the connection. The double-semicolon inside brackets indicates the local IPv6 address, and "0.0.0.0" refers to the local address.
    • Foreign Address: Lists the remote device's IP (or FQDN) address with the port number after the semicolon port name (for example, HTTPS, HTTP, Microsoft-ds, and wsd).
    • State: Indicates where the connection is active (established), the local port has been closed (time_wait), and the program hasn't closed the port (close_wait). Other status include, closed, fin_wait_1, fin_wait_2, last_ack, listen, syn_received, syn_send, and timed_wait.

    Netstat parameters

    The tool also includes several parameters you can use to display different information about the network connections on Windows 11 (and 10).

     

    Show active and inactive connections

     

    The "netstat -a" command displays all active and inactive connections and the TCP and UDP ports the device is currently listening to.

     

    eQp2RWnAkzLd4RasvVhDzM-970-80.jpg

    (Image credit: Future)

     

    Show executable information

     

    The "netstat -b" command lists all the executables (applications) associated with each connection. Sometimes, applications may open multiple connections.

     

    gFBZGDwZSCao96qCTBWXCe-970-80.jpg

    (Image credit: Future)

     

    Show network adapter statistics

     

    The "netstat -e" command generates a statistic of the network interface, which shows information like the number of bytes, unicast, and non-unicast sent and received packets. You can also see discarded packets, errors, and unknown protocols, which can help you troubleshoot networking problems.

     

    EMEkKKKagwAFYgrKuyyEw-970-80.jpg

    (Image credit: Future)

     

    Show FQDNS for foreign addresses

     

    The "netstat -f" command shows the fully qualified domain name (FQDN) for foreign addresses. For example, "a23-200-88-24.deploy.static.akamaitechnologies.com:https" instead of "a23-200-88-24:http" or "23.200.88.24".

     

    sQfxHuVG24Cb6hJGGWDewC-970-80.jpg

    (Image credit: Future)

     

    Show numerical form

     

    The "netstat -n" command displays the addresses and ports in numerical form—for example, 52.159.126.152:443.

     

    dWG9JfwYMfA6DtBrFKEgEj-970-80.jpg

    (Image credit: Future)

     

    Show process ID

     

    The "netstat -o" command shows active TCP connections like "netstat," but with the difference that adds a fifth column to display the Process ID (PID) for each connection. The processes available in this view are the same in the "Details" tab of Task Manager, which also reveals the application using the connection.

     

    UxWZtwHef39QRh3Vikw5mF-970-80.jpg

    (Image credit: Future)

     

    Show connections by Protocol

     

    The "netstat -p" can be used to display connections per protocol that you have to specify using "TCP," "UDP," "TCPv6," or "UDPv6" next to the command. For example, you can use the "netstat -p TCP" command to view a list of TCP connections.

     

    UGt8mpXSNKivjTk6NGSMpT-970-80.jpg

    (Image credit: Future)

     

    Show listening and non-listening ports

     

    The "netstat -q" commands can produce a list of all the connections with the listening and bound non-listening ports.

     

    k7PKnBwWKBPvoqRmHfZEJa-970-80.jpg

    (Image credit: Future)

     

    Show statistics by Protocol

     

    The "netstat -s" shows network statistics for the available protocols, including TCP, UDP, ICMP, and IP protocols (versions 4 and 6).

     

    EPGLwrmKok9sj2qdan6vJo-970-80.jpg

    (Image credit: Future)

     

    Show routing table

     

    The "netstat -r" command displays the current network routing table that lists the routes to destinations and matrics known by the device for IP version 4 and version 6 (if applicable). If the returned information looks familiar, it's because you can also output the data using the "route print" command.

     

    84zbRaLFhpkpx5SjjP5WbB-970-80.jpg

    (Image credit: Future)

     

    Show offload state connections

     

    The "netstat -t" command generates a list of the current connection offload state. The offload state refers to the TCP Chimney Offload, which is a feature that transfers the network workload from the processor to the network adapter during data transmissions. The "InHost" value indicates that offloading isn't enabled, and the "Offload" means that the feature is transferring the workload to the network adapter. (This feature is only present on supported network adapters.)

     

    iAny2Ys8caZVArRVcp6YvV-970-80.jpg

    (Image credit: Future)

     

    Show NetworkDirect connections

     

    The "netstat -x" is another supported command, and it produces a list of NetworkDirect connections, shared endpoints, and listeners.

     

    NetworkDirect is a specification for Remote Direct Memory Access (RDMA), which is a process that allows fast data transfers using the network adapter, freeing up the processor to perform other tasks. Usually, you'll never use this command unless you're using the Windows server version or a high-performance application with a network adapter that supports this feature.

     

    3D7RcuEikRHTXQBkFzKw4g-970-80.jpg

    (Image credit: Future)

     

    Show connection template

     

    The "netstat -y" command displays TCP connection templates for all connections.

     

    LFzK2q32yPvgshrnBTxE23-970-80.jpg

    (Image credit: Future)

    Combine parameters

    When using the "netstat" command, you can combine the parameters to display various information for many cases.

     

    For example, the "-e" parameter can also be used with the "-s" parameter to see statistics for each available protocol, and the "-o" parameter can be combined with "-a," "-n," and "-p" as necessary.

     

    LryEv7ECtQieQWgS7NBqaK-970-80.jpg

    (Image credit: Future)

     

    With the "netstat -p" command, you append the "s" parameter. You can display statistics from even more protocols, including "icmp," "ip," "icmpv6," and "ipv6."

     

    Also, when using more than one parameter, you can combine them with a single "-." For example, instead of writing the command "netstat -e -s," you can write it like this: "netstat -es."

     

    To see all the available parameters and additional help, you can always use the "netstat /?" command.

    Netstat search

    In addition to displaying all the available statistic information, you can also output only the certain details you need using these steps:

     

    1. Open Start.
    2. Search for Command Prompt, right-click the top result, and select the Run as administrator option.
    3. Type the following command to list all the connections that have the state set to LISTENING and press Enter: netstat -q | findstr STRING

     

    In the command, replace "STRING" for the information you want to list. Also, the findstr option is case-sensitive, which means you must enter the string you want to find with the exact casing. This example lists the connections set to "LISTENING:" netstat -q | findstr LISTENING

     

    This other example shows all the connections from a foreign server FQDN, in this case, Amazon: netstat -f | findstr amazon

     

    mxyd3BjpkWoq89i6AYhJPk-970-80.jpg

    (Image credit: Future)

     

    The "findstr" command isn't part of the netstat tool. It's a simple command to search for a text string in a file, but you can use it with many of the options for this tool to make more sense of the information you're viewing.

     

    The tool is not exclusive to Windows, as it's also available across platforms, including Linux and macOS. Even though the parameters and syntax may be different, they all are very similar.

     

    Source

    • Thanks 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...