NETSTAT.exe

Display current TCP/IP network connections and protocol statistics.

Syntax
      NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-s] [-t] [-x] [interval]

      NETSTAT [-a] [-f] [-p protocol] [interval] -y

      NETSTAT [-r] [interval]

Options

   interval  Redisplay statistics, pausing interval seconds between each display.
            (default=once only) Press CTRL+C to stop. 

   -a   Display All connections and listening ports.

   -b   Displays the executable filename involved in creating each connection or
        listening port*.

   -e   Display Ethernet statistics. (may be combined with -s).

   -f   Display Fully Qualified Domain Names (FQDN) for foreign addresses.

   -n   Display addresses and port numbers in Numerical form.

   -o   Display the Owning process ID associated with each connection.

   -p protocol
        Show only connections for the protocol specified; 
        can be any of: TCP, TCPv6, UDP or UDPv6.  
        If used with the -s option then the following protocols
        can also be specified: IP, IPv6, ICMP,or ICMPv6. 

   -q   Display all connections, listening ports, and bound nonlistening TCP ports.
        Bound nonlistening ports may or may not be associated with an active connection.

   -r   Display the routing table.

   -s   Display per-protocol statistics.  By default, statistics are
        shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
        The -p option can be used to display just a subset of these.

   -t   Display the current connection offload state.

   -v   Verbose - use in conjunction with -b, to display the sequence of
        components involved for all executables.

   -x   Display NetworkDirect connections, listeners, and shared endpoints.

   -y   Display the TCP connection template for all connections.
        Cannot be combined with the options -b -e -n -o -r -s or -t.

* Where available this will display the sequence of components involved in creating the connection or listening port. (Typically well-known executables which host multiple independent components.) This option will display the executable name in [ ] at the bottom, with the component it called on top, repeated until TCP/IP is reached. The -b option can be time-consuming and will fail unless you have sufficient permission [elevation].

Examples

Display all connections and listening ports and repeat the scan after a delay of 30 seconds, repeating until CTRL-C is pressed:

NETSTAT -a 30

Display the executable filename and process Owning process ID:

NETSTAT -b -o

This output can be compared with TASKLIST -FI "PID eq 1234" where 1234 is the PID.

“Once you're on the network, you can do a command called NetStat - Network Status - and it lists all the connections to that machine. There were hackers from Denmark, Italy, Germany, Turkey, Thailand ...” ~ Gary McKinnon

Related commands

BROWSTAT - Get domain, browser and PDC info.
ROUTE - Manipulate network routing tables.
PATHPING - IP trace utility.
PING - Test a network connection.
TASKLIST - Display running applications and services.
Equivalent bash command (Linux): netstat
Equivalent PowerShell: Get-NetStat (module) , Get-NetTCPConnection

 
© BACK 2 Rank aka Tracer
"Lameness is not a reason for suicide but posing with eliteness is a reason for murders"