command netstat is the cross-platform network statistics utility that displays active TCP connections, listening ports, routing tables, and interface statistics for real-time network diagnostics.
# Windows syntax
netstat [-a] [-b] [-e] [-n] [-o] [-p <Protocol>] [-r] [-s] [<interval>]
# Linux syntax
netstat [options]
Tested on Ubuntu 22.04 with net-tools 2.10 and Windows Server 2022.
Options and Flags
| Flag | Platform | Type | Default | Description |
|---|---|---|---|---|
-a |
Windows, Linux | Boolean | Off | Displays all active connections and listening ports. |
-b |
Windows | Boolean | Off | Shows the executable involved in creating each connection (requires admin). |
-e |
Windows | Boolean | Off | Displays Ethernet statistics (bytes, packets, errors). |
-n |
Windows, Linux | Boolean | Off | Displays addresses and port numbers in numerical form (no DNS resolution). |
-o |
Windows | Boolean | Off | Shows the owning process ID (PID) for each connection. |
-p |
Windows, Linux | String | All protocols | Filters by protocol: TCP, UDP, TCPv6, or UDPv6 (Windows); tcp, udp, raw, unix (Linux). |
-r |
Windows, Linux | Boolean | Off | Displays the kernel IP routing table. |
-s |
Windows, Linux | Boolean | Off | Shows per-protocol statistics (packets sent/received, errors). |
-t |
Linux | Boolean | Off | Filters to show only TCP connections. |
-u |
Linux | Boolean | Off | Filters to show only UDP connections. |
-l |
Linux | Boolean | Off | Shows only listening sockets. |
-c |
Linux | Boolean | Off | Continuously refreshes output every second. |
-i |
Linux | Boolean | Off | Displays network interface statistics. |
-g |
Linux | Boolean | Off | Displays multicast group membership information. |
--verbose |
Linux | Boolean | Off | Increases verbosity; shows additional details on unconfigured address families. |
Usage Examples
Example 1: Display All Listening Ports with Process Ownership
# Linux: show all listening TCP/UDP ports with PID and program name
sudo netstat -tulpn
# Windows: show all listening ports with owning PID
netstat -ano | findstr LISTEN
Critical for identifying which service is bound to a port. On Linux, -tulpn combines TCP, UDP, listening, numerical, and PID flags. On Windows, -ano shows all connections numerically with PID; pipe to findstr LISTEN isolates active listeners. Useful during port conflict resolution.
Example 2: Identify Process Binding to a Specific Port
# Linux: find which process uses port 8080
sudo netstat -tlnp | grep :8080
# Windows: find process on port 443
netstat -ano | findstr :443
When deploying a web application and port 8080 or 443 is already in use, this command isolates the offending PID. On Linux, the -p flag requires root to display process names; on Windows, -o shows PID without elevation, but -b requires admin for executable names.
Example 3: Continuous Network Connection Monitoring
# Linux: refresh active connections every 2 seconds
netstat -tuc 2
# Windows: refresh statistics every 5 seconds
netstat -e 5
Real-time monitoring of connection churn during an incident. On Linux, -c with an interval (2 seconds) provides continuous TCP/UDP output. On Windows, the trailing interval argument repeats the specified command output. Good for watching connection surges after deploying a change.
Example 4: Display Routing Table
# Linux
netstat -rn
# Windows
netstat -r
Shows the kernel IP routing table. The -n flag suppresses hostname resolution, speeding output. Compare against expected routes to detect misdirected traffic or missing static routes. Equivalent to route print on Windows and ip route on modern Linux systems.
Troubleshooting and Common Errors
| Observation / State | Root Cause | Resolution Command / Action |
|---|---|---|
| CLOSE_WAIT connections accumulate | The local application has not closed the socket after receiving a close request from the remote peer. Indicates a resource leak in the application code. |
|
| TIME_WAIT connections exceeding 20,000 | Ephemeral port exhaustion. The system is rapidly opening and closing short-lived connections, exhausting the port range. |
|
| SYN_SENT stays persistent | Outbound TCP SYN has been sent but no SYN-ACK received. Firewall, unreachable remote, or stale ARP cache. |
|
| FIN_WAIT_1 / FIN_WAIT_2 stuck | Half-closed connections where the remote side has not acknowledged the FIN packet. Network delay or peer application hang. |
|
| “netstat: command not found” | net-tools package not installed (common on minimal Docker containers and modern Linux distros). |
|
| Permission denied (Linux -p flag) | Non-root user trying to read process information from /proc. |
|
Exit Codes
| Code | Meaning | Operational Impact |
|---|---|---|
| 0 | Success | Command completed normally. All requested data displayed. |
| 1 | General failure | Often caused by invalid flag combination, insufficient permissions, or missing kernel module. Re-run with elevated privileges or verify syntax. |
| 2 | Invalid option | An unrecognized flag was passed. Check platform-specific man page. |
Note: netstat does not expose granular exit-code documentation in the official vendor pages for Windows or Linux. Codes above reflect standard Unix exit conventions and common observed behavior. For production automation, always check $? immediately after the command.
Closing Tip
For automated connection monitoring in production, replace netstat with ss on Linux and Get-NetTCPConnection on Windows for structured, scriptable output that integrates directly with monitoring pipelines.
Multi-Cloud Comparison
netstat is a local OS command running inside compute instances. No cloud provider exposes a subcommand equivalent. Cloud-native network diagnostics are handled at the VPC/subnet level through separate services.
| Feature | command netstat | AWS Equivalent | Azure Equivalent | GCP Equivalent |
|---|---|---|---|---|
| Active connections | Run inside EC2/VM/instance OS | VPC Flow Logs (connection-level) | NSG Flow Logs | VPC Flow Logs |
| Listening ports | netstat -ano inside instance |
Reachability Analyzer (path-level) | Network Watcher IP flow verify | Connectivity Tests |
| Routing table | netstat -r inside instance |
Route tables (VPC-level API) | Route tables (VNet-level CLI) | Routes (VPC-level gcloud) |
| Interface statistics | netstat -i (Linux) |
CloudWatch metrics (instance-level) | Azure Monitor metrics | Cloud Monitoring metrics |
Frequently Asked Questions
What is the difference between netstat -t and netstat -u?
Answer: netstat -t displays TCP connections; netstat -u shows UDP connections. Use netstat -tua to show both protocols with listening and established sockets. For numeric output, add -n to avoid DNS resolution.
# Show only TCP listening sockets
netstat -tln
# Show all UDP sockets (including non-listening)
netstat -uanWhen should I use the -p flag with netstat?
Answer: Use -p to display the PID and process name of each socket owner. Requires root/sudo on most systems to see processes owned by other users. Combine with -tuln to list all listening TCP/UDP ports with their owning processes and numeric addresses.
# List all listening TCP ports with PID and process name (requires root)
sudo netstat -tlnpHow do I fix netstat: command not found on a minimal Linux system?
Answer: Install net-tools via your package manager: apt-get install net-tools (Debian/Ubuntu) or yum install net-tools (RHEL/CentOS). Alternatively, use ss from iproute2 which is pre-installed.
# Debian/Ubuntu
sudo apt-get update && sudo apt-get install net-tools
# RHEL/CentOS/Amazon Linux 2
sudo yum install -y net-toolsWhat is the fastest way to list all listening ports and their PIDs with netstat?
Answer: Use sudo netstat -tulpn --numeric-hosts. Flags: -t TCP, -u UDP, -l listening only, -p show PIDs, -n numeric addresses/ports. Adding --numeric-hosts prevents DNS resolution latency. For even faster output, use ss -tuln4 (IPv4 only).
# Fastest pure netstat: numeric, no DNS, only listening
sudo netstat -tulpn --numeric-hosts | grep LISTEN
# Alternatively, using ss (faster overall)
sudo ss -tulpn
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.