Netstat displays the TCP/IP network protocol statistics
Netstat is a command line tool that displays active TCP connections, ports on which the computer is listening. It also displays the routing tables and a number of network interface statistics. The command line can be used to troubleshoot network issues, application issues and measure network performance. Netstat is native command in windows and does not require anything to be installed or downloaded to run. At the end of this article you will find examples, syntax and status codes for the Netstat command.
ManageEngine OpManager – The network and server monitoring software
- Real-time network performance management using real time graphs, remote process diagnostics, etc.
- Best-in-class VMware monitoring using over 70 VMware performance monitors
- Exclusive performance dashboards for Active Directory, MSSQL, Exchange, & VMware
- Cisco IP SLA based WAN RTT and VoIP QoS monitoring, and flow based traffic monitoring
- Identify hop-wise latency caused by the LAN traffic using Hop graphs
- Integrated network configuration management and Helpdesk.
Common uses of the Netstat Command
The most common use of Netstat is to get a quick overview of the active ports on a machine and the status of those ports. This will help you in troubleshooting application or network issues on the computer by identifying which ports are opened, closed and listening for incoming connections. For example, you are having issues with Microsoft Outlook sending and receiving emails, you could use the Netstat command to see if your computer is making a connection to the mail server and if it is you can see the state of that connection.
Some applications or services may need to run under a specific port or listen for incoming traffic on certain ports. If you have two or more services running on the same port this could cause issues and result in the application not working properly. Using Netstat it would allow you to view which ports are open and verify that there are two services or applications trying to run on the same port.
Netstat can also be used to check for common attacks that may have infected your computer. Exploits often use ports such as 139, ftp(21) and telnet (23) to obtain information from your computer or send malicious data down to your pc. You can use the netstat command to view for these open ports and to identify unwanted or unknown connections.
Netstat is a command line tool. To start using Netstat click start -> Run – > CMD and hit enter. This will bring you to the command prompt from here type in netstat and hit enter.
Netstat Examples
1. To see who is connected to the computer being used and the systems it is connected to type in the following command at the prompt: netstat –a
2. To display both the Ethernet statistics and the statistics for all protocols, type in the following command at the prompt: netstat -e –s
3. To display the statistics for only the TCP and UDP protocols, type in the following command at the prompt: netstat -s -p tcp udp
4. To display active TCP connections and the process IDs every 5 seconds, type the following command at the prompt: nbtstat -o 5
5. To display active TCP connections and the process IDs using numerical form, type the following command at the prompt: nbtstat -n –o
Netstat Syntax
netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
Netstat Parameters
-a : Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
-e : Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
-n : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
-o : Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.
-p Protocol : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
-s : Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
-r : Displays the contents of the IP routing table. This is equivalent to the route print command.
Interval : Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.
/? : Displays help at the command prompt.
Netstat TCP States
TCP states as per RFC 793:
CLOSE_WAIT – waiting for connection termination request from the local user.
CLOSED – (this is a fictional state and is used to show when a connection no longer exists)
ESTABLISHED – a TCP session is established and data can be transferred.
FIN_WAIT_1 – waiting confirmation of a previously sent termination request.
FIN_WAIT_2 – waiting for a connection termination request from the remote host.
LAST_ACK – waiting confirmation of a previously sent termination request.
LISTEN – the computer is accepting connections and is waiting for a remote connection.
SYN_RECEIVED – connection requests have been received in both directions and the computer is now waiting for a connection request confirmation to complete the session establishment.
SYN_SEND – waiting for a matching connection request in response to an outgoing connection request.
TIMED_WAIT – forced delay to ensure the remote host has received acknowledgement for a termination request.
