Guide Using Netstat to troubleshoot network issues and identify

The associated guide may contain user-generated or external content.

Ultimate Vision

Level 2
Thread author
Sep 3, 2023
How to use netstat on Windows or Linux in Command Terminals.

Open either Windows command with elevated privileges "Run As Admin" or the Linux terminal in su "switch user" and type "netstat" and hit enter.

To help you understand what you are viewing if new to this, is a brief list of explanations.

Proto: The network Protocol. It will either be TCP or UDP.
Local Address: The IP addresses and ports of your computers network interfaces for the given connections.
Foreign Address: The IP addresses and port names of the remote devices.
State: Indicates the state of the connection. Whether its active or closed ect.

Additional commands to help specify details in a targeted manor.

netstat -n
Used to view connection's port numbers instead of port names next to an IP address.

netstat -n 5
Since the system can and does disconnect and connect to networks, the details will change at intervals. This command is used to refresh netstat at intervals. The 5 in the command can be changed to another number to lengthen or shorten intervals.
"Keep in mind when you start a process as such "Control C" will stop that process in a terminal on both Windows and Linux.

netstat -a
Will display all connections that are active or inactive.

netstat -b
Will show statistics of incoming and out going packets.

netstat -e
Will show you fully qualified domain names instead of port numbers or names.

netstat -f
Will change foreign address names to port numbers.

netstat -s
Similar to the "route Print" command, it shows the routing table of your current network.

These are just some of the basic commands to get you started with the built in tool. You can combine parameters to show you information about your connections any way you want. For instance, you can combine -s and -e parameters to view the statistics for every protocol. Resources are available all over the internet to help you further learn and utilize these powerful built in tools.

You can also type netstat -help in the terminal to basic commands and options.

Ultimate Vision

Level 2
Thread author
Sep 3, 2023
@Max90 While i appreciate your enthusiasm and initiative, displaying your localhost "local address" openly in a security forum may not be the best idea. It is one of the reasons i did not make the post above with "pictures" to display the guide.

Please do continue to learn the built in tool though, as it is invaluable in learning what ports do what and where and how processes use them to communicate. Troubleshooting issues then becomes simpler. Finding processes connecting "phoning home" becomes simpler. It is an analysis tool, and a very handy one at that. You can change port numbers to port names with simple variations of the netstat scan.


Level 17
Nov 9, 2022
No worries, I have enough protection :) strong router security (see my setup) and firewall with lots of hardened settings (even had anextra hardening of which VictorM was not aware of). So I am good.

Ultimate Vision

Level 2
Thread author
Sep 3, 2023
No worries, I have enough protection :) strong router security (see my setup) and firewall with lots of hardened settings (even had anextra hardening of which VictorM was not aware of). So I am good.
Nothing will land a user in more trouble than thoughts of invincibility and a careless attitude. The first step in initiating an attack on a user is knowing their whereabouts. If you hand the global community your localhost address, you have just administered their first step for them.

Onto your network and "Home Care" security. I have just read on your profile, your network has already been breached once. This stands to fortify what im trying to convey.

There are many variables when it comes to network security on its strengths, but rest assured, a determined attacker will most likely find a way.

Lets discuss security protocols of the network. Which protocol are you utilizing on tplink. is it WEP, WPA/WPA2/WPA3. HTTPS. IPSEC? They all have their strengths and weaknesses, such as, encryption strength, vulnerabilities, authentication mechanisms, compatibility, and ongoing support and updates.

While having IPS built into the software you're using to secure the router, its important to note how an IPS works, and the difference between it and a IDS.

The main point i would like to share, is that when an IPS has a packet show up , it looks through its rule list, looking for a reason to drop the packet. In this list at the very end, though, is an implicit "pass" rule: "which will allow this packet through." In the absence of a reason to drop the traffic, the IPS passes it through. IPS is basically a "control tool"

IDS is more of a "visibility tool", a traffic analyzer that monitors at many points. IDS looks deeper in the network giving the admin a windows so to say to peer through.

The "Intrusion" part of either of IPS or IDS is vague though as to what an intrusion truly is.

Both IDS and IPS are not very good at catching true intruders. An IPS will block known attacks well, but most of those attacks are either network reconnaissance or automated scans, looking or scouting systems to infect -- hardly "intrusions" in the classic sense of the word. The best defense involved in this scenario is the firewall that should block inappropriate traffic into the network in the first place and user experience knowledge and uses of. Even this will not be 100%.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.