What netstat Shows and Why It Matters
netstat (network statistics) gives you a real-time snapshot of your system's network activity. It answers three categories of questions: which ports are your applications listening on, which remote addresses is your machine currently connected to, and how many packets has each protocol sent, received, or dropped since the last reboot. This makes it indispensable when you need to confirm a service is actually listening before testing it, when you want to spot unexpected outbound connections, or when you are diagnosing packet loss by checking error counters.
Because netstat ships with Windows, macOS, and Linux, you can apply the same knowledge across all three platforms — though flag names differ slightly between them. On Linux it is provided by the legacy net-tools package; on Windows and macOS it is built into the OS.
Flag Reference
The most useful flags are listed below. The Linux/macOS column shows short flags; Windows uses the same flag names except where noted.
| Flag (Linux/macOS) | Windows Equivalent | What It Does |
|---|---|---|
-a | -a | Show all connections and listening ports |
-n | -n | Show numeric addresses instead of resolving hostnames |
-t | (filter output manually) | Show only TCP sockets |
-u | (filter output manually) | Show only UDP sockets |
-l | (filter for LISTENING state) | Show only listening sockets |
-p | -o (shows PID only) | Show PID and program name for each socket |
-r | -r | Display the kernel routing table |
-s | -s | Show per-protocol statistics |
Reading netstat -an Output
The most commonly used combination is netstat -an, which shows all sockets with numeric addresses (faster, no DNS lookups). A typical line looks like this:
Proto Local Address Foreign Address State
tcp 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 192.168.1.10:54231 93.184.216.34:443 ESTABLISHED
tcp 192.168.1.10:54229 93.184.216.34:443 TIME_WAITThe Local Address column shows your machine's IP and port. An address of 0.0.0.0:80 means the service is listening on all network interfaces. The Foreign Address shows the remote endpoint. The State column describes the TCP state machine position:
- LISTEN — the socket is waiting for incoming connection requests.
- ESTABLISHED — a two-way connection is active and data can flow.
- TIME_WAIT — the local side has closed the connection but holds the socket open briefly to absorb any late-arriving packets before the port can be reused.
- CLOSE_WAIT — the remote side sent a FIN (finished), but the local application has not yet closed its socket. A large number of CLOSE_WAIT sockets usually points to a resource leak in an application.
Protocol Statistics with netstat -s
Running netstat -s produces a detailed breakdown of counters for each protocol — TCP, UDP, ICMP, and IP. This is useful when you suspect packet loss or retransmissions are affecting performance. Key fields to watch include segments retransmitted (elevated values indicate congestion or a poor path) and receive buffer errors (the kernel had to drop packets because the application was not reading fast enough).
Finding Which Process Owns a Port
On Linux, combine -p with root privileges:
sudo netstat -anp | grep :80This adds a final column showing the PID and program name, for example 1234/nginx. On Windows, use -o to get the PID, then identify the process separately:
netstat -ano | findstr :80
tasklist /fi "PID eq 1234"Viewing the Routing Table
Running netstat -r on any platform prints the kernel routing table — the same information as route print on Windows or ip route on Linux. This shows which gateway your machine uses for each destination network, and is a quick way to confirm a default gateway is configured correctly when diagnosing connectivity failures.
netstat vs ss
On Linux systems with many simultaneous connections, netstat can be slow because it parses files in /proc/net/. The ss command reads data directly from the kernel via a netlink socket, which is dramatically faster. However, netstat has the advantage of working identically on Windows and macOS, where ss is not available. For cross-platform scripts or when working on non-Linux systems, netstat remains the right choice.
Availability and Installation
On Windows, netstat is built into every version and requires no installation. On macOS, it is included with the base system. On Linux, it comes from the net-tools package — install it with sudo apt install net-tools on Debian/Ubuntu or sudo dnf install net-tools on Fedora/RHEL. Note that many minimal Linux server images no longer ship net-tools by default, preferring ss and ip from iproute2 instead.
Frequently Asked Questions
How do I see all listening ports with netstat?
Run netstat -an and look for lines with state LISTEN (Linux/macOS) or LISTENING (Windows). To show only listening ports, use netstat -ln on Linux/macOS or netstat -an | findstr LISTENING on Windows.
How do I find which process is using a port?
On Linux, run sudo netstat -anp | grep :PORT to see the PID and process name. On Windows, run netstat -ano to get the PID, then use tasklist /fi "PID eq PID_NUMBER" to find the process name.
What do the TCP states in netstat output mean?
LISTEN means the port is waiting for connections. ESTABLISHED means an active connection exists. TIME_WAIT means the connection closed but the socket is held briefly to catch delayed packets. CLOSE_WAIT means the remote side closed the connection but the local application has not yet closed its end.
What is the difference between netstat and ss?
Both show socket and connection information. ss is the modern Linux replacement for netstat — it reads data from the kernel's netlink socket directly, making it significantly faster on systems with many connections. netstat is cross-platform (Windows, macOS, Linux), while ss is Linux-only.
Is netstat deprecated?
On Linux, yes. netstat is part of the net-tools package, which is no longer actively maintained. Modern Linux distributions ship ss (from iproute2) as the recommended replacement. On Windows and macOS, netstat remains the standard built-in tool and is not deprecated.
How do I view the routing table with netstat?
Run netstat -r on Linux, macOS, or Windows to display the kernel routing table. This shows the destination networks, gateway addresses, network interface, and routing flags. On Linux you can also use the ip route command for more detail.