ipdetecto.com logo
ipdetecto.com
My IPSpeed
Knowledge Hub
HomeKnowledge HubWindows Netstat Explained
© 2026 ipdetecto.com
support@ipdetecto.comAboutContactPrivacyTermsllms.txt
Troubleshooting
5 MIN READ
Apr 19, 2026

Windows netstat Command Explained

Windows netstat.exe for sockets and routes: -a/-n/-o/-b/-p, TCP states (LISTENING, TIME_WAIT), mapping PIDs to processes, per-protocol statistics, and when to use Get-NetTCPConnection instead.

What netstat shows

netstat prints the Windows networking stack’s view of TCP and UDP endpoints: local and remote address/port pairs, connection state for TCP, and optionally the process ID (PID) owning the socket. It can also dump the routing table and interface statistics. It is snapshot-oriented unless you append an interval in seconds to refresh.

Switches you will use

SwitchEffectNotes
-aAll connections and listening portsDefault without -a can hide non-listening rows depending on OS defaults—prefer -a for audits
-nNumeric addresses and portsSkips reverse DNS—faster and clearer for firewalls
-oInclude owning PIDCombine with tasklist or Task Manager Details tab
-bShow executable per connectionRequires elevated Administrator; can be slow and verbose
-p tcp|udp|tcpv6|udpv6Filter protocolNarrows noisy output on busy servers
-eEthernet interface statisticsBytes/discards/errors snapshot
-rDisplay routing tableOverlaps route print—same logical data
-sPer-protocol statisticsUseful for discard/error counters by protocol

The usual triage line is netstat -ano: all sockets, numeric form, with PIDs.

TCP states in one glance

LISTENING means a passive open on the local port (often 0.0.0.0 or :: for all interfaces). ESTABLISHED is an active session. TIME_WAIT is normal after connections close—brief accumulation is expected; endless growth can indicate churn or scanning. CLOSE_WAIT often means the local app has not closed its side after receiving a FIN—investigate the owning process.

From PID to process name

Example: tasklist /fi "PID eq 1234" or Task Manager’s Details column. For services hosted in svchost.exe, use tasklist /svc /fi "PID eq 1234" or Services tab to see which service group owns the PID.

PowerShell alternative

Get-NetTCPConnection and Get-NetUDPEndpoint return objects you can filter (Where-Object LocalPort -eq 443, state filters, owning process). Prefer this in scripts; keep netstat for quick human-readable snapshots and recovery environments.

Related: Windows networking commands, ss on Linux, PowerShell networking, netstat vs ss.

Frequently Asked Questions

Q.What does netstat -ano do?

It lists all TCP/UDP connections and listening ports (-a), shows addresses and ports in numeric form (-n), and includes the owning process ID (-o). It is the most common starting point for finding which program holds a port.

Q.Why do I see TIME_WAIT for many lines?

TIME_WAIT is a normal TCP teardown state after a connection closes. It ensures stray segments expire. High churn from short-lived clients or load tests can create bursts—correlate with application behavior before treating it as an attack.

Q.Does LISTENING on 0.0.0.0 mean the whole internet can connect?

It means the socket accepts inbound connections on any local IPv4 address. Windows Defender Firewall and edge routers still control what actually reaches the process—verify rules per network profile.

Q.When should I use netstat -b?

When you need executable names without cross-referencing PIDs and you can run an elevated prompt. It is slower and more verbose; for automation prefer Get-NetTCPConnection with process lookups.

Q.Why does netstat show [::]:443 LISTENING?

That is IPv6 notation for all local IPv6 addresses. Dual-stack apps often listen on both IPv4 and IPv6; check companion 0.0.0.0:443 rows and firewall scopes.

Q.Can I see historical connections?

netstat is a point-in-time view. For history, use ETW tracing (pktmon, netsh trace), firewall logging, SIEM agents, or endpoint security tooling—not plain netstat alone.

Q.Why is PID missing for some rows?

Some endpoints are owned by the kernel or not exposed to user mode in the same way; elevation and OS build can affect visibility. Re-run elevated and compare with Get-NetTCPConnection.

Q.How is this different from Linux ss?

ss uses modern Linux sock_diag APIs and is faster on huge socket tables. Windows netstat reads the same conceptual data from the Windows stack; behavior and column names differ—see the netstat vs ss article for a feature mapping.
TOPICS & TAGS
netstat -anoWindows netstatLISTENING portTIME_WAITnetstat -bGet-NetTCPConnectionsocket troubleshooting Windows