IP Network - netstat




netstat is used mainly to figure out what kind of socket application is running and which port is assigned to each of those application.



C:\>netstat -?


Displays protocol statistics and current TCP/IP network connections.


NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]


  -a            Displays all connections and listening ports.

  -b            Displays the executable involved in creating each connection or

                listening port. In some cases well-known executables host

                multiple independent components, and in these cases the

                sequence of components involved in creating the connection

                or listening port is displayed. In this case the executable

                name is in [] at the bottom, on top is the component it called,

                and so forth until TCP/IP was reached. Note that this option

                can be time-consuming and will fail unless you have sufficient


  -e            Displays Ethernet statistics. This may be combined with the -s


  -f            Displays Fully Qualified Domain Names (FQDN) for foreign


  -n            Displays addresses and port numbers in numerical form.

  -o            Displays the owning process ID associated with each connection.

  -p proto      Shows connections for the protocol specified by proto; proto

                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s

                option to display per-protocol statistics, proto may be any of:

                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.

  -r            Displays the routing table.

  -s            Displays per-protocol statistics.  By default, statistics are

                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;

                the -p option may be used to specify a subset of the default.

  -t            Displays the current connection offload state.

  interval      Redisplays selected statistics, pausing interval seconds

                between each display.  Press CTRL+C to stop redisplaying

                statistics.  If omitted, netstat will print the current

                configuration information once..



Example 1: -------------------------------------------------------------


C:\>netstat -af


Active Connections


  Proto  Local Address          Foreign Address        State


  TCP     server1103.teamviewer.com:5938  ESTABLISHED




Example 2: -------------------------------------------------------------


C:\>netstat -aof


Active Connections


  Proto  Local Address          Foreign Address                     State          PID

  TCP     server1103.teamviewer.com:5938  ESTABLISHED        2884

  TCP                 ESTABLISHED        8320

  TCP                  TIME_WAIT        0

  TCP                  TIME_WAIT        0

  TCP                  TIME_WAIT        0

  TCP                  TIME_WAIT        0



Example 3: -------------------------------------------------------------


C:\>netstat -aof



C:\>netstat -aof


Active Connections


  Proto  Local Address          Foreign Address        State           PID


  TCP    [::]:21                SN6201142744:0         LISTENING       1552 <--ftp server

  TCP    [::]:80                SN6201142744:0         LISTENING       4    <--http server

  UDP         *:*                                    4272 <--dns server

  UDP       *:*                                    4272 <--IMS CSCF

  UDP    [2001:0:0:1::2]:53     *:*                                    4272 <--dns server

  UDP    [2001:0:0:1::2]:5060   *:*                                    4272 <--IMS CSCF