NETSTAT Utility — Explained

Hello everyone. The subject of my conversation will focus on a very powerful utility known as the NETSTAT. NETSTAT is short for network statistics. And this is a command-line tool that is used to display the current network connections and port activity on your computer. It’s a useful tool that you can use to see what service may be running on your computer or server and which ports are open. Now, netstat is available on various operating systems. But some of the option commands may be a little bit different. In my example, I’m going to be demonstrating on a Windows computer. So at a command prompt, you type in the word netstat. And then you press enter.

So right now our computer is not connected to anything, which is why the output is blank. But if our computer was connected to other hosts, they would show us the protocol that’s being used, the local address, the foreign address, and the state of the connection. So let’s go ahead and have our computer connect to a couple of websites such as yahoo.com, example.com and then we’ll also connect to an FTP server. And then we’ll connect to a couple of local computers in our home. So now if we do the netstat command again, and in the output, we’ll see some activity.

So here we see that TCP is a protocol that’s being used. And here we see the local IP address of the computer, along with a port number that’s being used for that particular connection. And here we see the two IP addresses of the websites that our computer is connected to, along with the port names, because HTTP is the protocol for websites. And we also see the FTP site that we’re connected to. And then finally, we see the two computers in our home.

Netstat can be combined with subcommands or switches to alter the output. So for example, if we do a netstat, with a minus n switch (netstat -n), it’ll show the same output as netstat but it will show only numbers and not names. So for example, on the left side of the screen, let’s do the same netstat command again, all by itself. And if you notice, the output is not instant, the output is slow coming in line by line. Now the reason for this is because it’s using DNS to resolve numbers to names and it takes some time to do this. So as you can see it showing the names of the computers that our computer is connected to, along with the names of the ports. But over here on the right side of the screen, if we do a netstat with a minus and switch, the output is very fast. In fact, it’s instant. And this is because it doesn’t use DNS to resolve numbers to names, it only shows numbers. So as you can see, instead of showing the names of the computers, it only shows their IP addresses. And the same thing goes with the ports, it only shows the port numbers and not the port names.

Now another option is netstat with a minus a switch (netstat -a). This is going to show us a little bit more. So not only is it going to show our current connections, but it’s also going to show us which TCP and UDP ports are listening for your connection. So on the top, we see the TCP ports, and towards the bottom, we see the UDP ports, the IP address of all zeros is our computer. And the reason why it’s all zeros is that it means that the port is not listening on a specific IP address. It’s listening on all available IP addresses on all network interfaces. And because the local IP address is all zeros, the other end of the connection is actually our computer in the foreign address column.

So you can see that our computer is named my PC. And here we see the port numbers that are open on our computer that is either listening for a connection or has already established a connection. In the top section, we see the IPv4 addresses, and at the bottom we see the IPv6 addresses. Now if you wanted to see which program is being used to make these connections, you can use our next command which is netstat minus b (netstat -b).

So now if we look at the output, we see that the two website connections are done using Google Chrome indicated by chrome IE and the FTP connection is using file Zilla, which is a very popular FTP application.

And the next command is netstat minus F (netstat -f). Now, this command shows the fully qualified domain name of the addresses that were connected to; so here we can clearly see the Yahoo and example websites and the FTP server that our computer is connected to.

You don’t have to use these switches all by themselves. You can actually combine them to get the output that you desire.

So for example, let’s combine the last two switches that we just did. So let’s do netstat minus b, f (netstat -bf). And then we can see from the output, we see the program that’s being used from the B’s switch. And we can also say the fully qualified domain names from the F switch. or in another example, let’s do netstat with a minus a n n switch (netstat -an).

And in the output, we see the current active connections and which ports are listening for a connection from using the a switch. And we also see that the output is instant because it’s only showing numbers and not names which is produced by the N switch.

Now if you wanted to see the full list of switches that are available with netstat, just type netstat and a question mark (netstat ?), and then it will show you what’s available.