Using Netstat Command

Dennis Foote - Systems Engineer

Netstat can be used to find out various things about what’s going on with your connections to the internet or your network behind the scenes of your OS. I have used Netstat to find things like malware intrusions accessing a network connection, ports being used by IP address, and dropped packets over the network (which can be a good way of detecting failing or failed hardware). Below I will list some of the common commands that I use and what their purposes are.

Netstat –n     This will list connections and ports that the connections are currently using.

Netstat –s      This will list statistics about your packet transactions info.

Netstat –s –s This can be an easier way of viewing Netstat –s because it will remove anything with the value 0 in the list.

Netstat –f      This will show you a list of all connected domains to which you are currently connected to whether it’s your ISP, internet web page, your VPN connection, or your current office connection.

Netstat –b   This displays the executable involved in creating each connection or listening port. In some cases, well-known executable hosts multiple independent components and, in these cases, the sequence of components involved in creating the connection or listening port is displayed. In this case, the executable name is in [ xxxx  ] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

These are the most common Netstat commands for me. I use them as tools to understand what’s going on with a network so I have a good basis to make an effective diagnosis.  I suggest reading up on Netstat to find the different commands that may work for you.