If you’ve ever wondered what programs are talking to the internet on your computer, netstat.exe is your answer. This built-in Windows command helps you see every network connection happening right now. Security professionals use it to spot suspicious activity. System administrators rely on it to troubleshoot connection problems. Regular users need it to understand what’s really going on with their network.
Let me show you exactly how to use netstat.exe, what all those numbers mean, and how this tool can solve real problems.
What Is Netstat.exe?
Netstat.exe is a command-line tool that displays active network connections, listening ports, and network statistics. Every Windows computer has it installed by default. The name combines “network” and “statistics.”
When you run netstat, you get a snapshot of:
- Active connections between your computer and other devices
- Which programs are listening for incoming connections
- Network traffic statistics
- Routing table information
Think of it as a detailed phone bill that shows every call your computer is making or receiving, except in real time.
Why You Need to Know About Netstat
Security concerns top the list. Malware often creates hidden network connections. Netstat reveals these connections even when nothing obvious appears wrong.
Performance issues become clearer. When your internet feels slow, netstat shows which programs are hogging bandwidth.
Troubleshooting gets easier. Network problems that seem mysterious often make sense once you see the actual connection data.
I’ve used netstat hundreds of times to find programs that shouldn’t be connecting to the internet. Just last month, I discovered a printer driver making constant connections to a server in another country. Without netstat, I would never have known.
How to Open and Use Netstat.exe
Opening Command Prompt
Press Windows key + R to open the Run dialog. Type cmd and press Enter. The black command prompt window appears.
You don’t need administrator rights for basic netstat commands. Some advanced options require it, but most everyday tasks work fine without elevation.
Running Your First Netstat Command
Type this simple command:
netstat
Press Enter. You’ll see a list of active connections. The output looks intimidating at first, but it follows a clear pattern.
Understanding the Basic Output
The standard netstat output shows four columns:
Proto: The protocol used (TCP or UDP) Local Address: Your computer’s IP and port number Foreign Address: The remote computer’s IP and port State: The connection status (only for TCP)
Here’s what a typical line looks like:
TCP 192.168.1.100:52341 93.184.216.34:443 ESTABLISHED
This tells you: Your computer (192.168.1.100) is connected to a remote server (93.184.216.34) on port 443 (HTTPS). The connection is active.
Essential Netstat Commands You’ll Actually Use
netstat -a (Show All Connections)
netstat -a
This displays all active connections and listening ports. You’ll see far more entries than with plain netstat. Every program waiting for connections appears here.
Use this when you want the complete picture of network activity.
netstat -b (Show Which Program Owns Each Connection)
netstat -b
This requires administrator rights. Run Command Prompt as administrator first.
This command adds the executable name below each connection. Now you can see that Chrome.exe is making that HTTPS connection, or that svchost.exe is listening on port 135.
This solves the biggest frustration with basic netstat: knowing what program created each connection.
netstat -n (Show Numerical Addresses)
netstat -n
Shows IP addresses instead of trying to resolve them to hostnames. This makes the output appear much faster and helps when DNS isn’t working properly.
Combine it with other options like netstat -an for a fast, complete view.
netstat -o (Show Process ID)
netstat -o
Adds a PID (Process ID) column. You can match this number to the process in Task Manager. Open Task Manager, go to the Details tab, and find the PID column.
This helps when you need to identify or terminate a specific program.
netstat -r (Show Routing Table)
netstat -r
Displays how your computer routes network traffic. Most useful for diagnosing why traffic isn’t reaching certain networks.
Network administrators use this constantly. Regular users rarely need it unless troubleshooting VPN issues.
Combining Commands for Real Power
The magic happens when you combine options:
netstat -ano
This shows all connections (-a), uses numerical addresses (-n), and includes process IDs (-o). Copy this command. You’ll use it more than any other.
netstat -ab
Shows all connections with program names. Perfect for security audits, but slower because it resolves names.
Reading Netstat Output Like a Pro
Connection States Explained
TCP connections move through different states. Here’s what each means:
ESTABLISHED: Active connection with data flowing both ways. This is normal for any active network communication.
LISTENING: Your computer is waiting for incoming connections on this port. Programs like web servers or file sharing tools create listening ports.
TIME_WAIT: Connection recently closed but still tracked. Windows keeps these briefly to handle stray packets. Hundreds of TIME_WAIT connections might mean a program isn’t closing connections properly.
CLOSE_WAIT: Remote side closed the connection, but your program hasn’t finished cleaning up. Large numbers suggest a program has a bug.
SYN_SENT: Your computer initiated a connection and is waiting for a response. If stuck here, either the remote server isn’t responding or a firewall is blocking traffic.
SYN_RECEIVED: Incoming connection attempt received, waiting for final acknowledgment. Brief state during normal connections.
Common Port Numbers
Certain port numbers appear constantly. Recognizing them speeds up analysis:
| Port | Service | What It Means |
|---|---|---|
| 80 | HTTP | Regular web traffic |
| 443 | HTTPS | Encrypted web traffic |
| 22 | SSH | Remote secure shell |
| 3389 | RDP | Remote Desktop |
| 445 | SMB | File sharing |
| 53 | DNS | Name resolution |
| 25 | SMTP | Email sending |
| 143/993 | IMAP | Email receiving |
Connections to ports 80 and 443 are normal for any web browsing. Port 3389 connections mean someone is using Remote Desktop. Port 445 appears when accessing network drives.
Local Address vs Foreign Address
The Local Address shows your computer’s perspective. The port number after the colon matters:
- High port numbers (49152 to 65535) are temporary ports your computer assigns
- Low port numbers (1 to 1023) are well-known service ports
When your computer initiates a connection, it uses a high temporary port and connects to a specific service port on the remote end.
Example breakdown:
TCP 192.168.1.100:52341 93.184.216.34:443 ESTABLISHED
Your computer (192.168.1.100) used temporary port 52341 to connect to port 443 (HTTPS) on the remote server. This looks like normal web browsing.
Practical Netstat Use Cases
Finding Which Program Is Using a Specific Port
Sometimes a program fails to start because another program already claimed its port. Netstat finds the culprit.
Run this command as administrator:
netstat -ano | findstr :8080
Replace 8080 with whatever port you’re investigating. The output shows which process ID owns that port. Open Task Manager, find that PID, and you’ve identified the program.
Checking for Suspicious Connections
Malware often connects to remote servers. Regular netstat checks help catch this early.
Run:
netstat -ab > connections.txt
This saves all connections with program names to a text file. Review it for:
- Unknown programs making internet connections
- Connections to countries you don’t recognize
- Programs that shouldn’t need internet access
- Connections on unusual ports (not 80, 443, or other common ones)
Trust your instincts. If a random system process connects to an IP in a distant country, investigate further. According to the Cybersecurity and Infrastructure Security Agency (https://www.cisa.gov/), monitoring network connections is a fundamental security practice for detecting compromised systems.
Monitoring Connection Changes Over Time
Save netstat output every few minutes to track changes:
netstat -ano > netstat1.txt
Wait five minutes, then:
netstat -ano > netstat2.txt
Compare the files using a text comparison tool. New connections that appeared between snapshots deserve attention.
Troubleshooting Network Performance
When your internet crawls, netstat reveals the problem. Look for:
Too many ESTABLISHED connections: Some programs open hundreds of connections simultaneously. This overwhelms routers and slows everything down.
Connections in weird states: Dozens of connections stuck in SYN_SENT or CLOSE_WAIT indicate problems.
Unexpected local servers: Programs listening on ports when they shouldn’t be might cause issues.
Run netstat -an and count ESTABLISHED connections. More than 200 active connections often indicates a problem, unless you’re running servers or heavy applications.
Verifying Server Status
If you’re running a web server, database, or game server, netstat confirms it’s listening properly.
netstat -an | findstr LISTENING
This shows all listening ports. Your server should appear on its configured port. If it doesn’t, the service didn’t start correctly or is bound to the wrong address.
Advanced Netstat Techniques
Continuous Monitoring
Add a number after commands to refresh automatically:
netstat -ano 5
This updates the display every five seconds. Press Ctrl+C to stop. Perfect for watching connections in real time while you test something.
Filtering Output with Findstr
Windows includes findstr for searching text. Pipe netstat output through it:
netstat -ano | findstr "443"
Shows only lines containing “443”. Filter by port, IP address, state, or PID.
Multiple search terms:
netstat -ano | findstr "ESTABLISHED LISTENING"
This shows lines with either word.
Statistics and Summaries
netstat -s
Displays detailed statistics by protocol. You’ll see:
- Packets sent and received
- Errors encountered
- Active connections per protocol
- Retransmission rates
High error rates or retransmissions indicate network problems. Compare these numbers over time to spot degrading connections.
Interface Statistics
netstat -e
Shows Ethernet statistics including bytes sent/received and errors. Run it twice with time between to calculate throughput:
netstat -e > before.txt
Do something network intensive for a minute.
netstat -e > after.txt
Compare the byte counts to see actual transfer amounts.
Identifying Bandwidth Hogs
Combine netstat with Task Manager’s network column. Run netstat -ab to see which programs have connections. Switch to Task Manager and sort by network usage. Match the high-usage programs with netstat’s connection list to see exactly where data flows.
Common Netstat Errors and Solutions
“Requested Operation Requires Elevation”
Some netstat options need administrator rights. Right-click Command Prompt and select “Run as administrator” before running the command.
The -b option always requires this. The -o option works without elevation but gives more complete results with it.
No Output or Very Limited Output
If netstat shows almost nothing, check:
- Are you connected to a network? Unplugged cables or disabled WiFi means no connections.
- Is your firewall blocking everything? Overly restrictive settings prevent normal connections.
- Did you just restart? Give programs a minute to establish their usual connections.
A computer with zero netstat output has major network problems or no network access.
Output Scrolls Too Fast
Pipe output to the more command:
netstat -a | more
Press space to show the next page. Press Q to quit.
Or save to a file:
netstat -a > output.txt
Open output.txt in Notepad for easier reading.
Cannot Identify Process Name
If netstat -b shows no program names, either:
- You’re not running as administrator
- The connection closed before netstat checked it
- A driver or system process owns the connection (these sometimes hide their names)
Try netstat -abo for the most complete information possible.
Netstat Alternatives and Complementary Tools
TCPView from Microsoft Sysinternals
TCPView provides a graphical interface showing the same information as netstat. It updates in real time and lets you close connections with a right-click. Download it from Microsoft’s Sysinternals suite (https://learn.microsoft.com/en-us/sysinternals/).
I use TCPView when I need to monitor connections for a while. The visual format makes patterns easier to spot.
Resource Monitor (Built into Windows)
Press Windows key + R, type resmon, and press Enter. Click the Network tab. This shows active connections with graphs, making bandwidth usage obvious.
Resource Monitor is easier for beginners than netstat but provides less detailed information.
PowerShell Commands
PowerShell offers modern alternatives:
Get-NetTCPConnection
Shows TCP connections in a structured format. You can filter and sort easily:
Get-NetTCPConnection | Where-Object State -eq "Established"
PowerShell is more powerful for scripting and automation. Netstat remains faster for quick checks.
Security Best Practices with Netstat
Check your connections weekly. Make it a habit like checking your bank account. Run netstat -ab and review the output. You’ll learn what’s normal for your system.
Document your baseline. Save netstat output when your computer is clean and working well. Compare future scans against this baseline. New, unexplained connections deserve investigation.
Investigate high-numbered ports. Legitimate services use standard ports. Malware often picks random high ports. A connection to port 52,341 on a foreign IP raises red flags unless you know why it exists.
Verify after removing malware. After cleaning an infection, run netstat to confirm no connections remain. Malware sometimes leaves behind secondary infections that maintain network access.
Monitor server listening ports. If you’re not running servers, you shouldn’t have many listening ports. Malware often opens listening ports for remote access. Unexpected listeners are serious warning signs.
IPv6 Addresses in Netstat
Modern netstat output includes IPv6 addresses. They look like:
TCP [::1]:52341 [::1]:52342 ESTABLISHED
The double colons represent zeros. ::1 is the IPv6 equivalent of 127.0.0.1 (localhost).
Full IPv6 addresses appear as eight groups of hexadecimal digits:
TCP [2001:0db8:85a3:0000:0000:8a2e:0370:7334]:443
Most home networks still use IPv4 primarily. IPv6 connections are normal but less common. The same analysis principles apply: check the port, verify the program, and investigate if something seems wrong.
Netstat Command Reference
| Command | Purpose | Admin Required |
|---|---|---|
| netstat | Show active connections | No |
| netstat -a | Show all connections and listening ports | No |
| netstat -b | Show executable names | Yes |
| netstat -n | Use numerical addresses | No |
| netstat -o | Show process IDs | No |
| netstat -r | Display routing table | No |
| netstat -s | Show protocol statistics | No |
| netstat -e | Show ethernet statistics | No |
| netstat -ano | All connections, numerical, with PIDs | No |
| netstat -ab | All connections with program names | Yes |
When Netstat Isn’t Enough
Netstat shows a snapshot. It doesn’t capture packet contents, log historical connections, or analyze traffic patterns deeply.
For serious security analysis, consider:
Wireshark: Captures and analyzes actual network packets. Sees everything netstat misses but requires more expertise.
Network monitoring software: Enterprise tools log all connections over time and alert on anomalies.
Firewall logs: Your firewall records blocked connection attempts that netstat never sees.
Netstat excels at quick diagnostics and regular monitoring. It’s your first tool, not your only tool.
Conclusion
Netstat.exe gives you visibility into network activity that otherwise remains invisible. Every connection your computer makes appears in its output. Learning to read this information helps you troubleshoot problems faster, spot security issues earlier, and understand what your programs really do.
Start simple. Run netstat -ano and read through the output. Recognize the patterns. Notice which programs create which connections. After a few weeks of occasional checks, suspicious activity jumps out immediately.
The commands look cryptic at first. The output feels overwhelming. But netstat follows consistent rules. Once you understand the format, you can diagnose network issues that leave others stumped.
Use netstat regularly. Make it part of your security routine. Your computer’s network activity tells a story. Netstat lets you read it.
Frequently Asked Questions
Is netstat.exe a virus or malware?
No. Netstat.exe is a legitimate Windows system tool. It lives in C:\Windows\System32\ on all Windows installations. Malware occasionally impersonates netstat by using similar names or running from different folders. Check the file location. If netstat.exe is in System32, it’s safe. If it’s in your Downloads folder or somewhere unusual, scan it with antivirus software.
Can I delete netstat.exe to free up space?
Don’t delete it. Netstat.exe is tiny (less than 50 KB) and is part of Windows. Removing system files causes instability and doesn’t meaningfully free space. Windows protects system files anyway, making deletion difficult without special tools. Leave it alone.
Why does netstat show so many connections when I’m not doing anything?
Modern computers maintain constant internet connections for updates, notifications, and background services. Cloud storage syncs files. Email checks for messages. Windows Update downloads patches. Anti-virus software reports status. All of these create connections. Twenty to fifty connections on an idle computer is normal. Hundreds suggest a problem.
How do I close unwanted connections shown in netstat?
Netstat only displays connections. It can’t close them. After identifying a problem connection with netstat, find its process ID (PID) using netstat -ano. Open Task Manager, switch to Details, find that PID, and end the process. This closes all connections that process created. Be careful ending system processes as this can crash Windows.
Does using netstat slow down my computer?
No. Netstat reads existing information from Windows and displays it. The impact is negligible. Running it constantly with short refresh intervals uses slightly more CPU but not enough to notice on modern computers. Even continuous monitoring with netstat -ano 1 causes minimal performance impact.
- How to Fix Overscan on Windows 11/10: Stop Your Screen Getting Cut Off (2026) - April 1, 2026
- How to Disable Lock Screen on Windows 11/10 in 2026 - April 1, 2026
- Top 7 NFT Integration Ideas for Brands in 2026 - March 31, 2026