Questions tagged [netstat]

netstat

netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems. It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.

Parameters

Parameters used with this command must be prefixed with a hyphen (-) rather than a slash (/).

• -a : Displays all active connections and the TCP and UDP ports on which the computer is listening.
• -b : Displays the binary (executable) program's name involved in creating each connection or listening port. (Windows XP, 2003 Server and newer Windows operating systems (not Microsoft Windows 2000 or other non-Windows operating systems)) On Mac OS X when combined with -i, the total number of bytes of traffic will be reported.
• -e : Displays ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
• -f : Displays fully qualified domain names for foreign addresses (only available on Windows Vista and newer operating systems).
• -g : Displays multicast group membership information for both IPv4 and IPv6 (may only be available on newer operating systems)
• -i : Displays network interfaces and their statistics (not available under Windows)
• -m : Displays the STREAMS statistics.
• -n : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
• -o : Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p. This parameter is available on Microsoft Windows XP, 2003 Server (and Windows 2000 if a hotfix is applied).[2]
• -p Windows and BSD: Protocol : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
• -p Linux: Process : Show which processes are using which sockets (similar to -b under Windows) (you must be root to do this)
• -P Solaris: Protocol : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be ip, ipv6, icmp, icmpv6, igmp, udp, tcp, or rawip.
• -r : Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.)
• -s : Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
• -t Linux: Displays only TCP connections.
• -v : When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables.
• Interval : Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.
• -h (unix) /? (windows): Displays help at the command prompt.

Statistics Provided

Netstat provides statistics for the following:

Protocol - The name of the protocol (TCP or UDP).

Local Address - The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).

Foreign Address - The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).

State - Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT. For more information about the states of a TCP connection, see RFC 793.

Examples

To display the statistics for only the TCP or UDP protocols, type one of the following commands:

netstat -sp tcp
netstat -sp udp

To display active TCP connections and the process IDs every 5 seconds, type the following command (On Microsoft Windows, works on XP and 2003 only, or Windows 2000 with hotfix):

netstat -o 5

Mac OS X version:

netstat -w 5

To display active TCP connections and the process IDs using numerical form, type the following command (On Microsoft Windows, works on XP and 2003 only, or Windows 2000 with hotfix):

netstat -no

To display all ports open by a process with id pid:

netstat -aop | grep "pid"

Platform specific remarks

On the Windows platform, netstat information can be retrieved by calling the GetTcpTable and GetUdpTable functions in the IP Helper API, or IPHLPAPI.DLL. Information returned includes local and remote IP addresses, local and remote ports, and (for GetTcpTable) TCP status codes. In addition to the command-line netstat.exe tool that ships with Windows, GUI-based netstat programs are available.

On the Windows platform, this command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

On Mac OS X 10.5, the above option "-o" is not available. With Mac OS X 10.5, the /Applications/Utilities folder contains a network utility called: Network Utility, see tab Netstat for these stats presented in a gui application, along with Ping, Lookup, Traceroute, Whois, Finger and Port Scan.

Wikipedia Entry for netstat