GeekPolice Tech TutorialsLog in


How to Troubleshoot Network Connections with Netstat Command


How to Troubleshoot Network Connections with Netstat Command

How to Troubleshoot Network Connections with Netstat Command

The Netstat command displays protocol statistics and current TCP/IP network connections. This utility can be used to display in-depth detail about protocol status and statistics for the different network interfaces, as well as viewing the current listening ports and the routing table.

By default, Netstat lists the protocol type, local address and port information, remote address and port information, and current state.

The Local Address column references the local system, and the ports on the local system that are being used as connection points to a remote system. The Foreign Address is displayed on the third column. It is the IP address and port number of the remote computer to which the socket is connected. Simply speaking local address is the IP address of your device, while foreign address is the address of the device you are connected to it. The State column displays the current status of TCP connections only. You can determine from the state column whether the connection is currently established or the application running on that port is in listening mode (waiting for a connection).

Below is the list of available states explanations:

SYN_SENDIndicates an active open.
SYN_RECEIVEDServer just received a syn from the remote client.
ESTABLISHEDClient received syn, and the connection is complete.
LISTENServer is waiting for a connection.
FIN_WAIT_1Indicates an active close.
TIMED_WAITClients enter this state after an active close.
CLOSE_WAITIndicates a passive close; the server has just received the first.
FINFrom client.
FIN_WAIT_2Client just received acknowledgment of its first fin from the server.
LAST+ACKServer enters this state when it sends its own fin.
Server received the ack from the client, and the connection is closed.

Different types of statistics are available depending on the command-line switches used with Netstat. You can display all connections and listening ports, because server connections are not displayed in the standard output. You can also display Ethernet statistics and per-protocol statistics. The routing table can also be displayed with this command. You can use the -n switch to display addresses and port numbers without resolving the names.


Netstat -n

By default, the information is displayed once. You can specify an interval in seconds appended to the end of the command to have the utility update itself. The following is an example of the command line:


Netstat -a 5

This command will display the active connections every five seconds. Use Ctrl + C keys to stop this program. This can be helpful when trying to actively monitor connections and their statistics.

By default standard output, Netstat does not display your computer’s connections and listening ports. This information might be necessary to understand whom the computer is communicating with and whether a port is open and ready to receive data. There are a number of malware infections that hackers can plant on systems that open ports so that the hacker can connect to the open port later and send malicious data to that port. It is important that you be able to identify whether a system has been hit with such a program, and the best way is to monitor the listening ports with Netstat. To view a list of listening ports, type the following command:


Netstat -a

Another available switch enables you to display the Ethernet interface statistics of your system. The information available with the -e switch includes the number of bytes received and sent, the number of discards and errors, and unknown protocols. By understanding what this information means, you can monitor the amount of traffic that is being used in communications. Since this option also displays errors, you can check here to see if communication-related problems are occurring.


Netstat -e

Newer versions of Windows now support the -o switch with Netstat to display the process ID (PID) number of the program that is responsible for opening the port! Very useful when trying to close down open ports and you need to know what program has opened the port so you know which program to end.


Netstat -o

Once you know the process ID number, you can then use the Windows [c]Tasklist[/c] command or Task Manager to display which executable is associated with that process ID.

With -b switch, Netstat displays the executable involved in creating each connection or listening port.


Netstat -b

The Netstat command has a wide variety of useful switches that you can use for all kinds of troubleshooting.

Did you find this tutorial helpful? Don’t forget to share your views with us.
remove_circleSimilar topics


No Comment.
Permissions in this forum:
You cannot reply to topics in this forum