Mastering netstat: Advanced Tips for Network Monitoring and Troubleshooting on Windows/Linux/Mac


2 views

Netstat remains one of the most versatile network utilities across platforms. While newer tools like ss (socket statistics) have emerged on Linux, netstat's cross-platform availability makes it essential for sysadmins and developers alike. Here's how to leverage its full potential.

To identify potentially malicious connections (Windows example):

netstat -ano | findstr ESTABLISHED
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.100:49678    45.33.82.147:443      ESTABLISHED     4876

Key flags:

  • -a: Show all connections (including listening ports)
  • -n: Display addresses numerically (faster, skips DNS lookup)
  • -o: Show process IDs

While netstat doesn't show real-time bandwidth, this Linux command provides connection insights:

watch -n 1 "netstat -tunapl | grep -v '0.0.0.0'"
Every 1.0s: netstat -tunapl | grep -v '0.0.0.0'

tcp6       0      0 2001:db8::1:5432     2001:db8::2:42351    ESTABLISHED 1234/postgres

Filter specific protocols on macOS:

netstat -p tcp -f inet
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  192.168.1.15.5223     17.253.34.204.https   ESTABLISHED

View detailed routing information (Windows):

netstat -rn
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.15     25

Cross-reference with tasklist (Windows) or ps (Linux):

# Windows
netstat -ano | findstr 1234
tasklist /FI "PID eq 1234"

# Linux
netstat -tulnp | grep 5432
ps -p 1234 -o comm=

Create a monitoring script (Linux bash example):

#!/bin/bash
while true; do
  clear
  date
  echo "=== Active Connections ==="
  netstat -tunapl | awk 'NR<=3 || /ESTABLISHED/'
  sleep 5
done

Netstat (network statistics) is a command-line tool available across Windows, Linux, and macOS that provides detailed network connection information. Modern versions include:

# Linux (net-tools package)
netstat -tulnp

# Windows
netstat -ano

# macOS (BSD version)
netstat -anv

To identify processes consuming bandwidth:

# Linux (requires ss from iproute2)
ss -tup | sort -k4 -n

# Windows real-time monitoring (1 second intervals)
netstat -e 1 | findstr "Bytes"

Detect suspicious connections with these forensic patterns:

# Show all listening ports with process names
sudo netstat -tulnp | grep -E 'LISTEN|ESTABLISHED'

# Windows malware detection
netstat -ano | findstr "ESTABLISHED" | findstr /V "$$::$$"

For complex network troubleshooting:

# Show routing tables with interface details
netstat -rn | grep -v "0.0.0.0"

# Continuous monitoring of TCP state changes
watch -n 1 "netstat -an | awk '{print \$6}' | sort | uniq -c"

Identify connection bottlenecks:

# Show TCP connections sorted by retransmit rate
netstat -s | grep -A 10 "Tcp:" | grep "retransmit"

# Windows specific TCP metrics
netstat -s -p tcp | findstr "Segments"

Automate network analysis with these portable scripts:

#!/bin/bash
# Monitor new connections every 5 seconds
while true; do
  netstat -an | grep "ESTABLISHED" | wc -l
  sleep 5
done

@REM Windows batch equivalent
:loop
netstat -an | find /C "ESTABLISHED"
timeout /t 5
goto loop

When netstat is deprecated (as in newer Linux distros):

# Use ss from iproute2
ss -ltupn

# Or lsof for process-specific info
lsof -i -P -n | grep LISTEN