Using netstat to Monitor Network Connections and Spot Security Issues
netstat ("network statistics") is a command-line tool that lists every active network connection and listening port on your device — which programs are talking to the internet, what they're connected to, and whether anything looks out of place. It's built into Windows, Linux, and macOS, making it one of the fastest ways to check what's actually happening on your network without installing anything extra.
Running It
On Windows, open Command Prompt and run:
netstat -a
On Linux, netstat may need to be installed first (it's been deprecated in favor of ss on many distros):
sudo apt-get install net-tools
On macOS, it's available by default in Terminal — just run netstat directly.
Reading the Output
Each row shows: Protocol (TCP/UDP), Local Address, Foreign Address, and State. For example:
TCP 192.168.1.10:80 93.184.216.34:443 ESTABLISHED
This means your machine has an active connection from local port 80 to a remote server on port 443. ESTABLISHED means the connection is live; LISTENING means a program on your machine is waiting for incoming connections on that port.
The Flags That Actually Matter
-a— show all connections and listening ports-n— show IPs and ports as numbers instead of resolving hostnames (noticeably faster on busy systems)-p(Linux/macOS) — show the program name tied to each connection-b(Windows) — same purpose, shows the executable behind each connection-s— show summary statistics (packets sent/received, errors) instead of a connection list
Combining -a and -n (netstat -an) is the most common everyday use — it's fast and gives you the raw data without waiting on DNS lookups.
Finding What Program Owns a Connection
On Windows:
netstat -anb
This requires admin privileges and shows the executable next to each connection — useful when a port is in use and you need to know which program is holding it.
On Linux/macOS:
netstat -anp
(or use lsof -i if netstat isn't available, since it shows the same information via a different tool)
Practical Troubleshooting Uses
- Port conflicts: If a server won't start,
netstat -aquickly shows whether another process is already using that port. - Slow connections:
netstat -ssurfaces packet error counts, which can point to a flaky network interface or router issue before you go looking elsewhere. - Confirming a service is actually listening: After configuring a new service, checking for it in the `LISTENING` state confirms it started correctly and is bound to the port you expect.
Security: What to Actually Look For
Run netstat -an and scan the Foreign Address column for connections you don't recognize — particularly ones to unfamiliar IPs on unusual high-numbered ports (outside the common 80/443/22 range). If you find one:
- Use
netstat -anb(Windows) ornetstat -anp(Linux/macOS) to identify which program owns that connection. - Look up the foreign IP address using a service like an IP/WHOIS lookup to see who it's registered to.
- If the program or destination looks unfamiliar and unexplained, stop the process and consider a malware scan — netstat itself doesn't detect malware, but it can surface the network activity that leads you to investigate.
This is a useful baseline check, not a replacement for actual antivirus/EDR tools — netstat shows you connections, it doesn't classify them as malicious.
Automating a Periodic Check
To watch established connections over time instead of checking manually, a simple PowerShell loop works:
while ($true) {
netstat -an | Select-String "ESTABLISHED"
Start-Sleep -Seconds 60
}
On Linux/macOS, the equivalent with a basic loop and watch:
watch -n 60 "netstat -an | grep ESTABLISHED"
netstat vs. Newer Alternatives
| Tool | Platform | Notes |
|---|---|---|
| netstat | Windows, Linux, macOS | Universal, but deprecated on some Linux distros in favor of ss |
| ss | Linux | Faster, lower overhead, same core info |
| lsof -i | Linux, macOS | More detail on open files/sockets, steeper learning curve |
netstat remains the most consistent choice across operating systems, which is why it's still worth knowing even though ss is technically faster on Linux.