Using the netstat Utility Networking

Using netstat is a great way to see the TCP/IP connections (both inbound and outbound) on your machine. You can also use it to view packet statistics (similar to the MONITOR.NLM utility on a NetWare server console), such as how many packets have been sent and received, the number of errors, and so on.

When used without any options, netstat produces output similar, which shows all the outbound TCP/IP connections The netstat utility, used without any options, is particularly useful in determining the status of outbound Web connections.

The Proto column lists the protocol being used. Because this is a Web connection, the protocol is TCP. The Local Address column lists the source address and the source port (source socket). In this case, default indicates that the PC has no NetBIOS name configured and refers to the local IP address, which is followed by the source ports, four separate dynamically registered TCP ports used to open four separate TCP connections. The Foreign Address item for all four connections is, indicating that for all four connections, the address of the destination machine is and that the destination port is TCP port 80 (in other words, HTTP for the Web). The State column indicates the status of each connection. This column shows statistics only for TCP connections because UDP establishes no virtual circuit to the remote device. Usually, this column indicates ESTABLISHED once a TCP connection between your computer and the destination computer is established.

Output of thenetstatcommand without any Switches

Output of thenetstatcommand without any Switches

The output of the netstat utility depends on the switch. You can use the following :

  • –a
  • –e
  • –r
  • –s
  • –n
  • –p

Simply type netstat followed by a space and then the switch. Some switches have options, but the syntax is basically the same. Note the UNIX style of the switches, where the hyphen must be included. This is common in Microsoft operating systems for TCP/IP utilities, which stem from original use in UNIX systems.

The–a Switch

When you use the –a switch, the netstat utility displays all TCP/IP connections and all User Datagram Protocol (UDP) connections. Figure shows a sample output produced by the netstat –a command.

A protocol type of UDP and the source port nicknames of nbname and nbdatagram, are the well-known port numbers of 137 and 138, respectively. These port numbers are commonly seen on networks that broadcast the NetBIOS name of a workstation on the TCP/IP network. You can tell that this is a broadcast because the destination address is listed as *:* (meaning “any address, any port”).

Sample output of the netstat -a command

Sample output of the netstat -a command

The–e Switch

The -e switch displays a summary of all the packets that have been sent over the network interface card (NIC) as of that instant. The two columns in Figure shows packets coming in as well as being sent.

Sample output of the netstat -a command

You can use the –e switch to display the following categories of statistics:

Bytes The number of bytes transmitted or received since the computer was turned on. This statistic is useful in helping to determine if data is actually being transmitted and received or if the network interface isn’t doing anything.

Unicast Packets The number of packets sent from or received at this computer. To register in one of these columns, the packet must be addressed directly from one computer to another and the computer’s address must be in either the source or destination address section of the packet.

Non-unicast Packets The number of packets not directly sent from one workstation to another. For example, a broadcast packet is a non-unicast packet. The number of non-unicast packets should be smaller than the number of unicast packets. If the number of nonunicast packets is as high as or higher than that of unicast packets, too many broadcast packets are being sent on your network. You should find the source of these packets and make any necessary adjustments.

Discards The number of packets that were discarded by the NIC during either transmission or reception because they weren’t assembled correctly.

Errors The number of errors that occur during transmission or reception. These numbers may indicate problems with the network card.

Unknown Protocols The number of received packets that the Windows networking stack couldn’t interpret. This statistic shows up only in the Received column because, if the computer sent them, they wouldn’t be unknown, would they?

Unfortunately, statistics don’t mean much unless they can be colored with time information. For example, if the Errors column shows 100 errors, is that a problem? It might be if the computer has been on for only a few minutes. But 100 errors could be par for the course if the computer has been operating for several days. Unfortunately, the netstat utility doesn’t have a way of indicating how much time has elapsed for these statistics.

The–r Switch

You use the –r switch to display the current route table for a workstation so that you can see how TCP/IP information is being routed. Figure 4.4 shows sample output using this switch. You can tell from this output which interface is being used to route to a particular network (useful if computers have multiple NICs).

The–r Switch

The–s Switch

Using the –s switch displays a variety of TCP, UDP, IP, and ICMP protocol statistics.

The following is some sample output using this switch.

C:netstat –s

The–n Switch

The -n switch is a modifier for the other switches. When used with other switches, it reverses the natural tendency of netstat to use names instead of network addresses. In other words, when you use the –n switch, the output always displays network addresses instead of their associated network names. Following is output from the netstat command and then the netstat -n command, showing the same information but with IP addresses instead of names:


Active Connections

C:>netstat -n

Active Connections


The–p Switch

Like the –n switch, the –p switch is a modifier. Typically used with the –s switch (discussed earlier), it specifies which protocol statistics to list in the output (IP, TCP, UDP, or ICMP). For example, if you want to view only ICMP statistics, you use the –p switch like so:

netstat –s –p ICMP

The netstat utility then displays the ICMP statistics instead of the gamut of TCP/IP statistics that the –s switch normally produces.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

Networking Topics