What is the netstat command and how is it used?
netstat is a network statistics utility that displays network connections (both TCP and UDP), listening ports, routing tables, and per-interface/per-protocol statistics; by default it resolves IPs to names, and the -n option shows them in numerical form.
The netstat Command:
A network statistics utility used to inspect what a host is doing on the network. Despite often being demonstrated on active TCP connections, netstat reports far more: TCP and UDP connections, ports in the LISTENING state, the IP routing table (-r), interface statistics (-e), and protocol statistics (-s). It is a first stop when you want to know "who is my machine talking to, and which services are open?"
Basic Usage:
C:\> netstat
Shows active connections with:
- Protocol
- Local Address
- Foreign Address
- State
Using the -n Option:
C:\> netstat -n
Displays IP addresses and ports in numerical form instead of resolving to domain names and service names.
Connection States:
- ESTABLISHED - Active connection
- LISTENING - Waiting for incoming connections
- TIME_WAIT - Waiting after close to handle delayed packets
- CLOSE_WAIT - Remote side has closed
Use cases:
- Troubleshoot connectivity issues
- Verify what services are running (which ports are LISTENING)
- Check for unauthorized connections
Why it matters in practice: because netstat lists every established connection and listening port, it is a quick way to spot something unexpected - a process you did not start reaching out to an unfamiliar foreign address can be a sign of malware. Pair -a (show all, including listening sockets) with -n (skip slow name resolution) for a fast, complete picture; on Linux, -p/ss -p also names the owning process. On modern systems ss is the faster successor, but the mental model is identical.
Go deeper:
netstat — Wikipedia reference for the options (
-a -n -r -e -s) and connection states.Netstat Commands — Network Administration Tutorial — HackerSploit demonstrates reading active connections and listening ports.