# Netstat ## What is Netstat Netstat stands for network statistics. It is a command-line tool available on Windows, Linux, and macOS that displays network connections, routing tables, interface statistics, and other network information. Netstat is useful for troubleshooting network problems, monitoring active connections, identifying which applications are using which ports, and detecting suspicious network activity. ## Displaying Active Connections Running netstat without options displays all active TCP connections. Each line shows the protocol, local address and port, foreign address and port, and the state of the connection. Common TCP states include ESTABLISHED which means the connection is active and data can flow, LISTEN which means the port is open and waiting for incoming connections, TIME_WAIT which means the connection is closing and waiting for remaining packets to expire, and CLOSE_WAIT which means the remote side has closed the connection and the local application has not yet closed its side. ## Netstat Options The netstat dash a option shows all connections and listening ports. The netstat dash n option displays addresses and port numbers numerically without resolving to names, which is faster. The netstat dash p option on Linux shows the process name and ID associated with each connection. On Windows the netstat dash b option shows the executable associated with each connection. The netstat dash r option displays the routing table. The netstat dash s option displays statistics for each protocol including TCP, UDP, IP, and ICMP. The netstat dash i option on Linux displays interface statistics. ## Using Netstat for Security Netstat is valuable for detecting suspicious network activity. By examining open ports and active connections an administrator can identify unexpected services listening for connections. An unexpected listening port may indicate malware has installed a backdoor. Connections to unusual foreign IP addresses may indicate data exfiltration or command and control communication. Regularly monitoring netstat output or using it during incident investigation helps identify security problems. ## Replacement with ss Command On modern Linux systems the ss command has largely replaced netstat. The ss command is faster than netstat because it gets information directly from the kernel rather than from the proc filesystem. The syntax is similar to netstat. The command ss dash tlnp shows listening TCP ports with process information. The ss command provides more detailed TCP socket information than netstat.