Windows netstat Command Explained

What netstat shows

netstat prints the Windows networking stack’s view of TCP and UDP endpoints: local and remote address/port pairs, connection state for TCP, and optionally the process ID (PID) owning the socket. It can also dump the routing table and interface statistics. It is snapshot-oriented unless you append an interval in seconds to refresh.

Switches you will use

Switch	Effect	Notes
`-a`	All connections and listening ports	Default without -a can hide non-listening rows depending on OS defaults—prefer `-a` for audits
`-n`	Numeric addresses and ports	Skips reverse DNS—faster and clearer for firewalls
`-o`	Include owning PID	Combine with `tasklist` or Task Manager Details tab
`-b`	Show executable per connection	Requires elevated Administrator; can be slow and verbose
`-p tcp\|udp\|tcpv6\|udpv6`	Filter protocol	Narrows noisy output on busy servers
`-e`	Ethernet interface statistics	Bytes/discards/errors snapshot
`-r`	Display routing table	Overlaps `route print`—same logical data
`-s`	Per-protocol statistics	Useful for discard/error counters by protocol

The usual triage line is netstat -ano: all sockets, numeric form, with PIDs.

TCP states in one glance

LISTENING means a passive open on the local port (often 0.0.0.0 or :: for all interfaces). ESTABLISHED is an active session. TIME_WAIT is normal after connections close—brief accumulation is expected; endless growth can indicate churn or scanning. CLOSE_WAIT often means the local app has not closed its side after receiving a FIN—investigate the owning process.

From PID to process name

Example: tasklist /fi "PID eq 1234" or Task Manager’s Details column. For services hosted in svchost.exe, use tasklist /svc /fi "PID eq 1234" or Services tab to see which service group owns the PID.

PowerShell alternative

Get-NetTCPConnection and Get-NetUDPEndpoint return objects you can filter (Where-Object LocalPort -eq 443, state filters, owning process). Prefer this in scripts; keep netstat for quick human-readable snapshots and recovery environments.

Frequently Asked Questions

Q.What does netstat -ano do?

It lists all TCP/UDP connections and listening ports (-a), shows addresses and ports in numeric form (-n), and includes the owning process ID (-o). It is the most common starting point for finding which program holds a port.

Q.Why do I see TIME_WAIT for many lines?

TIME_WAIT is a normal TCP teardown state after a connection closes. It ensures stray segments expire. High churn from short-lived clients or load tests can create bursts—correlate with application behavior before treating it as an attack.

Q.Does LISTENING on 0.0.0.0 mean the whole internet can connect?

It means the socket accepts inbound connections on any local IPv4 address. Windows Defender Firewall and edge routers still control what actually reaches the process—verify rules per network profile.

Q.When should I use netstat -b?

When you need executable names without cross-referencing PIDs and you can run an elevated prompt. It is slower and more verbose; for automation prefer Get-NetTCPConnection with process lookups.

Q.Why does netstat show [::]:443 LISTENING?

That is IPv6 notation for all local IPv6 addresses. Dual-stack apps often listen on both IPv4 and IPv6; check companion 0.0.0.0:443 rows and firewall scopes.

Q.Can I see historical connections?

netstat is a point-in-time view. For history, use ETW tracing (pktmon, netsh trace), firewall logging, SIEM agents, or endpoint security tooling—not plain netstat alone.

Q.Why is PID missing for some rows?

Some endpoints are owned by the kernel or not exposed to user mode in the same way; elevation and OS build can affect visibility. Re-run elevated and compare with Get-NetTCPConnection.

Q.How is this different from Linux ss?

ss uses modern Linux sock_diag APIs and is faster on huge socket tables. Windows netstat reads the same conceptual data from the Windows stack; behavior and column names differ—see the netstat vs ss article for a feature mapping.