terminal Network Tools

Netstat: Network Connections & Statistics

schedule 10 min read update Updated Jan 2026

Netstat (network statistics) is a command-line tool that displays network connections, routing tables, interface statistics, and more. It's essential for monitoring what's happening on your network, finding open ports, identifying active connections, and troubleshooting network issues.

list In This Article

Basic Usage

The basic netstat command shows all active connections:

# Show all connections (all platforms)
netstat

# Show all connections with addresses as numbers (no DNS lookup)
netstat -n

# Common combination: all connections, numeric, with process info
# Windows:
netstat -ano

# Linux/macOS:
netstat -anp    # Requires root for process info on Linux
sudo netstat -anp
info Note on Linux

On modern Linux distributions, netstat may not be installed by default. It's part of the net-tools package. Consider using ss instead, which is the modern replacement.

Viewing Active Connections

Windows

# All connections with process IDs
netstat -ano

# All connections with process names (requires admin)
netstat -anob

# TCP connections only
netstat -ant

# UDP connections only
netstat -anu

# Continuous monitoring (refresh every 5 seconds)
netstat -ano 5

macOS

# All connections
netstat -an

# TCP connections only
netstat -an -p tcp

# UDP connections only
netstat -an -p udp

# Show process IDs (requires root)
sudo lsof -i -n -P

Linux

# All connections with process info
sudo netstat -anp

# TCP connections only
netstat -ant

# UDP connections only
netstat -anu

# Show listening and established
netstat -antp

Sample Output

$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.100:22        192.168.1.50:52341      ESTABLISHED
tcp        0      0 192.168.1.100:443       203.0.113.50:41234      ESTABLISHED
udp        0      0 0.0.0.0:68              0.0.0.0:*

Finding Listening Ports

One of the most common uses of netstat is finding which ports are open and what's listening on them:

Windows

# Show listening ports with process IDs
netstat -ano | findstr LISTENING

# Find what's using port 80
netstat -ano | findstr :80

# Get process name from PID (replace 1234 with actual PID)
tasklist /fi "PID eq 1234"

macOS

# Show listening ports
netstat -an | grep LISTEN

# Find what's using port 80
sudo lsof -i :80

# Alternative using netstat
netstat -an | grep "\.80 "

Linux

# Show listening ports with process info
sudo netstat -tlnp

# Breakdown:
# -t = TCP only
# -l = Listening only
# -n = Numeric (don't resolve names)
# -p = Show process

# Find what's using port 80
sudo netstat -tlnp | grep :80

# Or use ss (modern replacement)
sudo ss -tlnp | grep :80
lightbulb Quick Port Check

To quickly find what's listening on a specific port across all platforms, use: netstat -an | grep LISTEN | grep :PORT (replace PORT with the port number).

Understanding Connection States

TCP connections go through various states. Understanding these helps diagnose issues:

State Description
LISTEN Server waiting for incoming connections
ESTABLISHED Active connection, data can flow
SYN_SENT Client sent connection request, waiting for response
SYN_RECEIVED Server received request, sent acknowledgment
FIN_WAIT_1 Connection closing, waiting for acknowledgment
FIN_WAIT_2 Connection closing, waiting for remote to close
TIME_WAIT Closed but waiting to ensure remote received closure
CLOSE_WAIT Remote closed, waiting for local application to close
CLOSED Connection fully terminated

Warning Signs

Viewing Routing Table

Netstat can display your system's routing table, showing how traffic is directed:

# Windows
netstat -r

# macOS
netstat -rn

# Linux
netstat -rn
# Or modern alternative:
ip route

Sample output:

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
Field Description
Destination Target network (0.0.0.0 = default route)
Gateway Next hop router (0.0.0.0 = directly connected)
Genmask Subnet mask
Flags U=Up, G=Gateway, H=Host
Iface Network interface used

Common Options Reference

Option Windows Linux macOS Description
All connections -a -a -a Show all connections
Numeric -n -n -n Don't resolve names
Process ID -o -p Use lsof Show process info
TCP only -p tcp -t -p tcp TCP connections only
UDP only -p udp -u -p udp UDP connections only
Listening Filter output -l Filter output Listening ports only
Routing table -r -r -r Show routing table
Statistics -s -s -s Protocol statistics

Modern Alternatives

On Linux, the ss (socket statistics) command is the modern replacement for netstat:

# Equivalent to netstat -tlnp
ss -tlnp

# Equivalent to netstat -an
ss -an

# Show TCP connections
ss -t

# Show all sockets with process info
ss -ap

# Filter by state
ss state established

# Filter by port
ss -tn dport = :443
info Why ss?

The ss command is faster than netstat because it gets information directly from kernel space instead of reading /proc files. It's the recommended tool on modern Linux systems.

Troubleshooting Scenarios

Find What's Using a Port

# Windows: Find process using port 8080
netstat -ano | findstr :8080
# Then get process name:
tasklist /fi "PID eq [PID]"

# Linux: One command
sudo netstat -tlnp | grep :8080
# Or with ss:
sudo ss -tlnp | grep :8080

# macOS:
sudo lsof -i :8080

Check if Service is Listening

# Verify web server is listening on port 80
netstat -an | grep ":80.*LISTEN"

# Check if database is accessible
netstat -an | grep ":5432.*LISTEN"  # PostgreSQL
netstat -an | grep ":3306.*LISTEN"  # MySQL

Monitor Connection Count

# Count connections to your web server
netstat -an | grep ":80.*ESTABLISHED" | wc -l

# Count connections per IP
netstat -an | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head

Detect Suspicious Activity

# Look for unusual outgoing connections
netstat -an | grep ESTABLISHED | grep -v "127.0.0.1\|192.168\|10\."

# Check for connections to suspicious ports
netstat -an | grep -E ":4444|:5555|:6666"

# High number of connections from single IP (potential attack)
netstat -an | grep SYN_RECEIVED | wc -l
warning Security Note

Regularly check for unexpected listening ports. Unknown services listening on your system could indicate malware or unauthorized software. Compare against a known-good baseline.

Debug "Address Already in Use" Error

# Find what's using the port you need
# Windows:
netstat -ano | findstr :3000

# Linux:
sudo ss -tlnp | grep :3000
# Or: sudo fuser 3000/tcp

# macOS:
lsof -i :3000

# Kill the process if needed (Linux/macOS)
sudo kill -9 [PID]

# Or on Linux, kill by port:
sudo fuser -k 3000/tcp

Check Your Network Configuration

Use our tools to analyze your IP address and network setup.

network_check Network Analysis

Related Articles

Ping Command

Test connectivity to remote hosts.

Traceroute Command

Trace the path packets take across the network.

NSLookup Command

Query DNS servers for domain information.