Specifically, it can show details about individual network connections, overall and protocol-specific networking statistics, and much more, all of which could help troubleshoot certain kinds of networking issues.
Netstat Command Availability
This command is available from within the Command Prompt in most versions of Windows, including Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP, Windows Server operating systems, and some older versions of Windows, too. Netstat is a cross-platform command, which means it’s also available in other operating systems like macOS and Linux.
Netstat Command Syntax
netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]
Show Active TCP Connections
In this first example, we execute netstat to show all active TCP connections. However, we want to see the computers that we’re connected to in FQDN format [-f] instead of a simple IP address. Here’s an example of what you might see: As you can see, there were 11 active TCP connections at the time netstat was executed in this example. The only protocol (in the Proto column) listed is TCP, which was expected because we didn’t use -a. You can also see three sets of IP addresses in the Local Address column—the actual IP address of 192.168.1.14 and both IPv4 and IPv6 versions of the loopback addresses, along with the port each connection is using. The Foreign Address column lists the FQDN (75.125.212.75 didn’t resolve for some reason) along with that port as well. Finally, the State column lists the TCP state of that particular connection.
Show Connections and Process Identifiers
In this example, netstat will be run normally so it only shows active TCP connections, but we also want to see the corresponding process identifier [-o] for each connection so that we can determine which program on the computer initiated each one. Here’s what the computer displayed: You probably noticed the new PID column. In this case, the PIDs are all the same, meaning that the same program on the computer opened these connections. To determine what program is represented by the PID of 2948 on the computer, all you have to do is open Task Manager, select the Processes tab, and note the Image Name listed next to the PID we’re looking for in the PID column.1 Using the netstat command with the -o option can be very helpful when tracking down which program is using too big a share of your bandwidth. It can also help locate the destination where some kind of malware, or even an otherwise legitimate piece of software, might be sending information without your permission.
Show Specific Connections Only
The above example is similar to what we’ve already looked at, but instead of displaying all connections, we’re telling the netstat command to show only the connections that are using a specific PID, 28604 in this example. A similar command could be used to filter out the connections with a CLOSE_WAIT state, by replacing the PID with ESTABLISHED.
Show Protocol-Specific Stats
In this example, we want to see protocol specific statistics [-s] but not all of them, just TCP stats [-p tcp]. We also want the foreign addresses displayed in FQDN format [-f]. This is what the netstat command, as shown above, produced on the example computer: As you can see, various statistics for the TCP protocol are displayed, as are all active TCP connections at the time.
Show Updated Network Stats
In this final example, netstat command is executed to show some basic network interface statistics [-e] and so that these statistics continually updated in the command window every five seconds [-t 5]. Here’s what’s produced on screen: Various pieces of information, which you can see here and that we listed in the -e syntax above, are displayed. The netstat command only automatically executed one extra time, as you can see by the two tables in the result. Note the ^C at the bottom, indicating that the Ctrl+C abort command was used to stop the re-running of the command.
Netstat Related Commands
The netstat command is often used with other networking related Command Prompt commands like nslookup, ping, tracert, ipconfig, and others. [1] You might have to manually add the PID column to Task Manager. You can do this by selecting PID after right-clicking the column headings in the Process tab. If you’re using Windows 7 or on older Windows OS, select the PID (Process Identifier) checkbox from View > Select Columns in Task Manager. You might also have to choose Show processes from all users from the bottom of the Processes tab if the PID you’re looking for isn’t listed.