Sponsored by Keepnet Labs

Netstat for Security Professionals -2021

Net Stat for Security professionals

Netstat for Security Professionals

This article was originally posted in 2012, right after my Microsoft TechEd New Zealand session, Updates on screenshots

This article is all about NETSTAT command. How it can help you to check the details on your network connections… (Network Statistics). It’s used to display very detailed information about how your computer is communicating with other computers or network devices.

netstat command

can display details about individual network connections, overall and protocol-specific networking statistics, and much more, all of which could help troubleshoot certain kinds of networking issues. And netstat can really help you to see if there are any suspicious activities happening on your computer, which send out information like to a Command and Control Center. As these activities will happen over the “network” looking at network statistics is a key for any Security Professional

netstat : displays the status of active TCP and UDP ports

Netstat –a : displays all active connections and listening ports


netstat –b: Displays the executable program’s name involved in creating each connection or listening port.

netstat –e: Displays ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s

netstat –es

Netstat –f Displays fully qualified domain names <FQDN> for foreign addresses

netstat –n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.

netstat –o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and –p

netstat –ano

netstat –r: Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.)

netstat –s: Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols

netstat –v: When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables

netstat –vb

netstat –na



Net stat –ano 5 (the 5 indicates the refresh rate,based on this example every 5 seconds, if you change 5 to 3 it will refers every 3 seconds)

netstat -sp

Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.

netstat-sp tcp


netstat -sp IP

This command will show you how many connection is opened by particular connection.

netstat -rn

This command will list your Network Interface list as well as the routing table

netstat -e -t 5

This command will display your network interface statistics

netstat -n -p TCP

If you believe you are under SYN Flood attack, this command can help you get evidence, please be aware this cmd will only display results if there is a
SYN_RECV tab displayed, if not, please check from your firewall or other network devices to verify your suspicions


To read more articles like this one:


PS: What is netstat?

Netstat — derived from the words network and statistics — is a program that’s controlled via commands issued in the command line. It delivers basic statistics on all network activities and informs users on which portsand addresses the corresponding connections (TCP, UDP) are running and which ports are open for tasks. In 1983, netstat was first implemented into the Unix derivative BSD (Berkley Software Distribution), whose version 4.2 supported the first internet protocol family, TCP/IP. netstat has been integrated into Linux since its debut in 1991 and has been present in Windows since the appearance of version 3.11 (1993), which could also communicate via TCP/IP with the help of extensions. While the parameters of netstat’s commands (as well as their outputs) differ from system to system, when it comes to their functions, the various implementations are very similar.

Essentially, netstat is a command line program and for this reason doesn’t feature a graphical user interface. Programs like TCPView, which was developed by the Microsoft division Windows Sysinternals, makes it possible for statistics to be displayed graphically.

How do you use netstat?

In Windows operating systems, you can use the netstat services via the command line (cmd.exe). You can find them in the start menu under “All Programs” -> “Accessories” -> “Command Prompt“. Alternatively, you can search directly for “Command Prompt” in the start menu’s search field or start the command line via “Run” (Windows key + press “R” and enter “cmd”). The syntax of the netstat commands follows the following pattern:

netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p Protocol] [-r] [-s] [-t] [-x] [-y] [Interval]

The combination of the individual options works by stringing the individual parameters together, each separated by a space:

netstat [-OPTION1] [-OPTION2] [-OPTION3] …

The parameters are typically preceded by a hyphen (-), but if you want to combine several options, you only have to place this hyphen in front of the first element. Instead of the variant shown above, you can also link different parameters as follows:

netstat [-OPTION1][OPTION2][OPTION3] …

In this case, it is important that you do not leave any spaces between the individual netstat options.

netstat commands for Windows






Standard listing of all active connections


netstat -a

Displays all active ports


netstat -b

Displays the executable file of a connection or listening port (requires administrator rights)


netstat -e

Shows statistics about your network connection (received and sent data packets, etc.)


netstat -f

Displays the fully qualified domain name (FQDN) of remote addresses


netstat -i

Brings up the netstat overview menu


netstat -n

Numerical display of addresses and port numbers


netstat -o

Displays the process identifier (PID) associated with each displayed connection

-p Protokoll

netstat -p TCP

Displays the connections for the specified protocol, in this case TCP  (also possible: UDP, TCPv6, or UDPv6)


netstat -q

Lists all connections, all listening TCP ports, and all open TCP ports that are not listening


netstat -r

Displays the IP routing table


netstat -s

Retrieves statistics about the important network protocols such as TCP, IP, or UDP


netstat -t

Shows the download status (TCP download to relieve the main processor) of active connections


netstat -x

Informs about all connections, listeners, and shared endpoints for NetworkDirect


netstat -y

Displays which connection templates were used for the active TCP connections


netstat -p 10

Displays the respective statistics again after a selected number of seconds (here 10); can be combined as required (here with –p), [CTRL] + [C] ends the interval display

Netstat for security professionals

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *