LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is the netstat command and how is it used?

netstat is a network statistics utility that displays network connections (both TCP and UDP), listening ports, routing tables, and per-interface/per-protocol statistics; by default it resolves IPs to names, and the -n option shows them in numerical form.

The netstat Command:

A network statistics utility used to inspect what a host is doing on the network. Despite often being demonstrated on active TCP connections, netstat reports far more: TCP and UDP connections, ports in the LISTENING state, the IP routing table (-r), interface statistics (-e), and protocol statistics (-s). It is a first stop when you want to know "who is my machine talking to, and which services are open?"

Basic Usage:

C:\> netstat

Shows active connections with:

  • Protocol
  • Local Address
  • Foreign Address
  • State

Using the -n Option:

C:\> netstat -n

Displays IP addresses and ports in numerical form instead of resolving to domain names and service names.

Connection States:

  • ESTABLISHED - Active connection
  • LISTENING - Waiting for incoming connections
  • TIME_WAIT - Waiting after close to handle delayed packets
  • CLOSE_WAIT - Remote side has closed

Use cases:

  • Troubleshoot connectivity issues
  • Verify what services are running (which ports are LISTENING)
  • Check for unauthorized connections

Why it matters in practice: because netstat lists every established connection and listening port, it is a quick way to spot something unexpected - a process you did not start reaching out to an unfamiliar foreign address can be a sign of malware. Pair -a (show all, including listening sockets) with -n (skip slow name resolution) for a fast, complete picture; on Linux, -p/ss -p also names the owning process. On modern systems ss is the faster successor, but the mental model is identical.

Go deeper:

From Quiz: NETW1 / Transport Layer | Updated: Jul 05, 2026