Netstat
Encyclopedia
netstat is a command-line tool
that displays network connections
(both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix
, Unix-like
, and Windows NT
-based operating systems.
It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.
-a : Displays all active connections and the TCP and UDP ports on which the computer is listening.
-b : Displays the binary (executable) program's name involved in creating each connection or listening port. (Windows XP, 2003 Server and newer Windows operating systems (not Microsoft Windows 2000 or other non-Windows operating systems)) On Mac OS X when combined with -i, the total number of bytes of traffic will be reported.
-e : Displays ethernet
statistics, such as the number of byte
s and packets sent and received. This parameter can be combined with -s.
-f : Displays fully qualified domain names <FQDN
> for foreign addresses (only available on Windows Vista and newer operating systems).
-g : Displays multicast group membership information for both IPv4 and IPv6 (may only be available on newer operating systems)
-i : Displays network interfaces and their statistics (not available under Windows)
-m : Displays the STREAMS statistics.
-n : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
-o : Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p. This parameter is available on Microsoft Windows XP, 2003 Server (and Windows 2000 if a hotfix is applied).
-p Windows and BSD: Protocol : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
-p Linux: Process : Show which processes are using which sockets (similar to -b under Windows) (you must be root to do this)
-P Solaris: Protocol : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be ip, ipv6, icmp, icmpv6, igmp, udp, tcp, or rawip.
-r : Displays the contents of the IP routing table
. (This is equivalent to the route print command under Windows.)
-s : Displays statistics by protocol. By default, statistics are shown for the TCP
, UDP
, ICMP
, and IP
protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6
, UDP over IPv6, ICMPv6
, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
-t Linux: Displays only TCP connections.
-v : When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables.
Interval : Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.
-h (unix) /? (windows): Displays help at the command prompt.
To display active TCP connections and the process IDs every 5 seconds, type the following command (On Microsoft Windows, works on XP and 2003 only, or Windows 2000 with hotfix):
Mac OS X version
To display active TCP connections and the process IDs using numerical form, type the following command (On Microsoft Windows, works on XP and 2003 only, or Windows 2000 with hotfix):
To display all ports open by a process with id pid
, raw data can often be obtained from the /proc/net/dev to work around the printf
output corruption arising in netstat's network interface statistics summary,
On the Windows
platform, netstat information can be retrieved by calling the GetTcpTable and GetUdpTable functions in the IP Helper API
, or IPHLPAPI.DLL. Information returned includes local and remote IP address
es, local and remote ports, and (for GetTcpTable) TCP
status codes. In addition to the command-line netstat.exe tool that ships with Windows, GUI
-based netstat programs are available.
On the Windows platform, this command is available only if the Internet Protocol (TCP
/IP
) protocol is installed as a component in the properties of a network adapter in Network Connections.
On Mac OS X
10.5, the above option "-o" is not available. With Mac OS X
10.5, the /Applications/Utilities folder contains a network utility called: Network Utility
, see tab Netstat for these stats presented in a gui application, along with Ping, Lookup, Traceroute, Whois, Finger and Port Scan.
Computer software
Computer software, or just software, is a collection of computer programs and related data that provide the instructions for telling a computer what to do and how to do it....
that displays network connections
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
(both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
, Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
, and Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
-based operating systems.
It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.
Parameters
Parameters used with this command must be prefixed with a hyphen (-) rather than a slash (/).-a : Displays all active connections and the TCP and UDP ports on which the computer is listening.
-b : Displays the binary (executable) program's name involved in creating each connection or listening port. (Windows XP, 2003 Server and newer Windows operating systems (not Microsoft Windows 2000 or other non-Windows operating systems)) On Mac OS X when combined with -i, the total number of bytes of traffic will be reported.
-e : Displays ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
statistics, such as the number of byte
Byte
The byte is a unit of digital information in computing and telecommunications that most commonly consists of eight bits. Historically, a byte was the number of bits used to encode a single character of text in a computer and for this reason it is the basic addressable element in many computer...
s and packets sent and received. This parameter can be combined with -s.
-f : Displays fully qualified domain names <FQDN
FQDN
A fully qualified domain name , sometimes also referred as an absolute domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System . It specifies all domain levels, including the top-level domain and the root domain...
> for foreign addresses (only available on Windows Vista and newer operating systems).
-g : Displays multicast group membership information for both IPv4 and IPv6 (may only be available on newer operating systems)
-i : Displays network interfaces and their statistics (not available under Windows)
-m : Displays the STREAMS statistics.
-n : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
-o : Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p. This parameter is available on Microsoft Windows XP, 2003 Server (and Windows 2000 if a hotfix is applied).
-p Windows and BSD: Protocol : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
-p Linux: Process : Show which processes are using which sockets (similar to -b under Windows) (you must be root to do this)
-P Solaris: Protocol : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be ip, ipv6, icmp, icmpv6, igmp, udp, tcp, or rawip.
-r : Displays the contents of the IP routing table
Routing table
In computer networking a routing table, or Routing Information Base , is a data table stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics associated with those routes. The routing table contains information about the...
. (This is equivalent to the route print command under Windows.)
-s : Displays statistics by protocol. By default, statistics are shown for the TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
, UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
, ICMP
Internet Control Message Protocol
The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...
, and IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
, UDP over IPv6, ICMPv6
ICMPv6
Internet Control Message Protocol version 6 is the implementation of the Internet Control Message Protocol for Internet Protocol version 6 defined in RFC 4443...
, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
-t Linux: Displays only TCP connections.
-v : When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables.
Interval : Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.
-h (unix) /? (windows): Displays help at the command prompt.
Statistics provided
Netstat provides statistics for the following:- Proto - The name of the protocol (TCPTransmission Control ProtocolThe Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
or UDPUser Datagram ProtocolThe User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
).
- Local Address - The IPInternet ProtocolThe Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
address of the local computer and the port number being used. The name of the local computer that corresponds to the IPInternet ProtocolThe Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
- Foreign Address - The IPInternet ProtocolThe Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
address and port number of the remote computer to which the socket is connected. The names that corresponds to the IPInternet ProtocolThe Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
- State - Indicates the state of a TCPTransmission Control ProtocolThe Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
connection. The possible states are as follows: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT. For more information about the states of a TCP connection, see RFC 793.
Examples
To display the statistics for only the TCP or UDP protocols, type one of the following commands:netstat -sp tcpnetstat -sp udpTo display active TCP connections and the process IDs every 5 seconds, type the following command (On Microsoft Windows, works on XP and 2003 only, or Windows 2000 with hotfix):
netstat -o 5Mac OS X version
netstat -w 5To display active TCP connections and the process IDs using numerical form, type the following command (On Microsoft Windows, works on XP and 2003 only, or Windows 2000 with hotfix):
netstat -noTo display all ports open by a process with id pid
netstat -ao | grep "pid"Caveats
Some versions ofnetstat lack explicit field delimiters in their printf-generated output, leading to numeric fields running together and thus corrupting the output data.Platform specific remarks
Under LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, raw data can often be obtained from the /proc/net/dev to work around the printf
Printf
Printf format string refers to a control parameter used by a class of functions typically associated with some types of programming languages. The format string specifies a method for rendering an arbitrary number of varied data type parameter into a string...
output corruption arising in netstat's network interface statistics summary,
netstat -i, until such time as the problem is corrected.On the Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
platform, netstat information can be retrieved by calling the GetTcpTable and GetUdpTable functions in the IP Helper API
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
, or IPHLPAPI.DLL. Information returned includes local and remote IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es, local and remote ports, and (for GetTcpTable) TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
status codes. In addition to the command-line netstat.exe tool that ships with Windows, GUI
Graphical user interface
In computing, a graphical user interface is a type of user interface that allows users to interact with electronic devices with images rather than text commands. GUIs can be used in computers, hand-held devices such as MP3 players, portable media players or gaming devices, household appliances and...
-based netstat programs are available.
On the Windows platform, this command is available only if the Internet Protocol (TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
/IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
) protocol is installed as a component in the properties of a network adapter in Network Connections.
On Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
10.5, the above option "-o" is not available. With Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
10.5, the /Applications/Utilities folder contains a network utility called: Network Utility
Network Utility
Network Utility is an application included with Mac OS X that provides a variety of computer network information. It is located at /Applications/Utilities/Network Utility.app.-Services:* Network interfaces* Netstat* AppleTalk* ping* Lookup* Traceroute...
, see tab Netstat for these stats presented in a gui application, along with Ping, Lookup, Traceroute, Whois, Finger and Port Scan.
See also
- ssIproute2iproute2 is a collection of utilities for controllingTCP and UDP IP networking and traffic control in Linux, in both IPv4 and IPv6 networks. It is currently maintained by Stephen Hemminger...
, a utility to investigate sockets from iproute2Iproute2iproute2 is a collection of utilities for controllingTCP and UDP IP networking and traffic control in Linux, in both IPv4 and IPv6 networks. It is currently maintained by Stephen Hemminger...
meant to replace netstat - lsof -iLsoflsof is a command meaning "list open files", which is used in many Unix-like systems to report a list of all open files and the processes that opened them. This open source utility was developed and supported by Vic Abell, the retired Associate Director of the Purdue University Computing Center...
- tc (command)
External links
- Net-Tool project page on berliOS
- Ports & Services Database
- Microsoft TechNet Netstat article – documentation for the netstat.exe command-line program.
- The netstat Command (Linux) – a guide to using the netstat command in Linux.
- Security Now #49 - The NETSTAT Command – podcast guide to netstat from Security Now!.
- From linux-ip.net More complete description of some aspects of the output.
- MyLanViewer network scanner / IP scanner - displays netstat (Win32).