Netstat is Short for Network Statistics and is a Command-line Utility or more precisely a Console Application. As it's Name suggests, it displays Protocol and Network Statistics for all Network Interfaces attached to the Computer. A Network Interface, more commonly referred to as a Network Interface Card is any piece of Hardware that allows the Computer to connect to a Network. The two most common types are a USB Wireless Adapter and a PCI Network Card (NIC).
Netstat's main scopes are TCP (Transmission Control Protocol), UDP (User Datagram Protocol), IP (Internet Protocol) and ICMP (Internet Control Message Protocol), for both IPv4 and IPv6.
To use it, open the Command Prompt, which is normally found under the Accessories Folder in the Start Menu. Goto, the Start Menu Button, then All Programs, then Accessories and right-click the Command Prompt Shortcut and click "Run as Administrator".
Now that the Command Prompt Window is Open, type in "Netstat /?" and press the Enter Key, this will bring up the Help Menu for the Netstat Utility and display all of it's Switches and a brief Description for each. Switches are additional commands that display specific Information the Netstat Utility is able to retrieve.
The available Command-line Switches are as follows: Netstat -a, Netstat -b, Netstat -e, Netstat -f, Netstat -n, Netstat -o, Netstat -p (protocol), Netstat -r, Netstat -s, Netstat -t, Netstat (time interval), The -v Switch has been deprecated, but is still available.
The Switches are able to be used in conjunction with each other, the spaces between them are required and Case is ignored.
The use of the Netstat Command with no switches will display by default, the TCP Protocol, then the Local Address, then the Foreign Address and lastly the current State. The Local Address is the Computer's Network Interface Address, the Foreign Address is the Address of the remote Connection the Local Address is connected to and the State is the current Connection Status of both. The Connection Status or State can have several values. The most common are as follows and are loosely defined:
"Listen" - Meaning the Local Address is waiting for a connection from a Foreign Address. "Established" - Meaning the Local Address and the Foreign Address are actively connected. "Fin_Wait_1 & 2" - Meaning one or both of the Connections are waiting for a Termination Request or for the acknowledgment of a previously sent Termination Request. "Close_Wait" - Meaning the Foreign Address is waiting for a Termination Request from the Local Address. "Time_Wait" - Meaning The Local Address or the Foreign Address is waiting to make sure the Termination Request has been acknowledged and all Packets have been sent and recieved. "Syn_Sent" - Meaning the Local Address is waiting for a matching Connection Request after sending an initial Connection Request to the Foreign Address. For more Information on TCP Connection States go (here).
You can use the Up\Down Arrow Keys on the Keyboard to re-enter any previously entered Commands in their entirety or the Right Arrow Key to enter the last Command one Character at a time. You can, also, use the "cls" Command to clear the screen when it becomes too cluttered to read comfortably.
The first switch listed is "Netstat -a". The Netstat Command with the "a" Switch. The Minus Sign (-) and the Forward Slash (/) both infer that a switch is to be used. Some Switches do not require either, such as the Interval Switch. (12s)
"Netstat -a" will display all Active Connections, no matter the Protocol and any Ports that are currently listening.
The Netstat -b Switch will display the Executables (Programs) that are responsible for creating the Connections and the specific Ports used. This will, also, display the TCP Protocol by default, then the Local Address, then the Foreign Address and then the State. Underneath that the creating Executable will be displayed in Brackets.
Next is the "Netstat -e" Switch. This Switch will display the Ethernet Adapter\s Statistics. This Switch will also include Wireless Adapters, contrary to what it's Description may seem to imply. The Information displayed will be the Statistics Received & Sent, for Bytes, Unicast Packets, Discards, Errors and Unknown Protocols.
The "Netstat -f" Switch will display the Fully Qualified Names for the Foreign Addresses (FQDN). This will include the HostName as well as the Domain Name. All other Stats will be displayed as the Default. TCP, Local Address and State. You may notice that the Http and Https Ports are displayed in a non-numerical Format. This is for clarity. It really denotes Port 80 and Port 443.
Next is, "Netstat -n" this Switch will display all Addresses in Numerical form. The aforementioned :HTTP and :HTTPS Ports will also be displayed in their numerical forms (80 & 443).
"Netstat -o" will display all Process Identifiers (PIDs) associated with each Connection. The Process Identifier is a unique Number assigned to an active Process by the System Kernel. The process ID can be discovered through the Task Manager. Right-click the Task Bar, then select Task Manager, once the Task Manager opens, select the Processes Tab. The Process ID Column is not active by default. To make the Process IDs available click the View Menu Item then click the Set Columns sub-Menu. Once there check the PID (Process Identifier) Box. Now the Process IDs will be shown in the Task Manager and it will be possible to correspond the Processes in both the Console Window and the Task Manager.
"Netstat -p (protocol)" This Switch actually requires a Protocol to be defined. The syntax is as follows: netstat -p tcp. The acceptable Protocol values are TCP, UDP, ICMP, IP, TCPv6, UDPv6, ICMPv6 and IPv6.
The "Netstat -r" Switch will display a List of Network Interfaces, the IPv4 and IPv6 Routing Tables (RIB) and any Persistent Routes associated with each. The Routing Table is used to determine the Interface to be used and the forwarding IP Address (the next destination IP) of a packet of Information being sent over the Connection. Think of it as a Map for the travel of Information. The Active Route Information displayed is as follows: the Network Destination, the Netmask (Subnet Mask), the Gateway, the Interface and the corresponding Metric. The Metric usually indicates the number of Hops. The Route with the lowest Metric value is normally automatically chosen. MAC stands for Media Access Control address and is usually unique to each Network Interface.
"Netstat -s" will display Statistics by Protocol. The Protocols that will be displayed are as follows: IPv4, IPv6, ICMPv4, ICMPv6, TCP for IPv4, TCP for IPv6, UDP for IPv4 and UDP for IPv6. The Stats for each Protocol are too numerous to be listed here, but they are in the Video.
"Netstat -t" will display the current Connection\s Offload State (TOE). The TCP\IP Offload Engine is usually associated with High-speed Data Transmission, although it's origins stem from the old Modem Days. Now, it is used because High-speed Data Transmission could overwhelm the CPU leaving little Processing Power to perform other Functions. This Command will display the Active Connection\s, it's Protocol, it's Local Address, it's Foreign Address, the State and Offload State. The TCP Chimney Offload can be disabled or enable. A returned value of InHost means Offloading is not occurring. Accordingly a returned value of Offloading means offloading is occurring and a transfer of the Work-load has been moved from the CPU to the NIC (Network Interface Card). The Network Interface must support TCP Offloading and it must be enabled in both the Advanced Properties of the Interface and the Operating System, using the "Netsh" Command for offloading to occur.
The Last Switch for the Netstat Console Application is the Interval Switch, which is timed in Seconds. The effect of this switch is to re-run any Command at the specified Interval. The Syntax is as follows: Netstat -r 12s, this will re-run the "Netstat" Command with the "-r" Switch every 12 seconds until stopped using the Ctrl+C Keyboard Combination.