Back to docs
Tools - NetworkUpdated: November 23, 2024

netstat -ano

Show network connections with process IDs for comprehensive monitoring.

netstat -ano

Command: netstat -ano

Category: Network

Type: CMD

Purpose

Displays all active network connections and listening ports along with their associated Process IDs (PIDs). Unlike netstat -b, this command doesn't require administrator privileges and provides numerical addresses for faster output.

Quick Summary

See every network connection and listening port on your system with the Process ID responsible for each. Essential for identifying which process is using a specific port, troubleshooting port conflicts, and monitoring network activity without admin rights. Faster than netstat -b because it doesn't resolve hostnames or executable names.

How to Use

  1. Open Command Prompt or PowerShell (no admin rights required).
  2. Type netstat -ano and press Enter.
  3. View all connections with their Process IDs in the rightmost column.

Common variations:

netstat -ano              - All connections with PIDs
netstat -ano | findstr ESTABLISHED  - Only active connections
netstat -ano | findstr :80         - Find what's using port 80
netstat -ano 5            - Refresh every 5 seconds

Tips and Best Practices

  • Use the PID column to identify processes in Task Manager (Details tab).
  • No admin rights needed (unlike netstat -b).
  • Faster than netstat -b because it skips hostname and executable resolution.
  • Combine with tasklist to find process names: tasklist | findstr PID_NUMBER
  • Save output for analysis: netstat -ano > connections.txt
  • Use findstr to filter for specific ports or states.
  • Cross-reference PIDs in Task Manager's Details tab (View > Select Columns > PID).

Understanding the Output

Example output:

Proto  Local Address          Foreign Address        State           PID
TCP    0.0.0.0:135           0.0.0.0:0              LISTENING       1024
TCP    192.168.1.100:54321   172.217.1.46:443       ESTABLISHED     5432
TCP    192.168.1.100:54322   93.184.216.34:80       TIME_WAIT       0
UDP    0.0.0.0:500           *:*                                    1536

Columns explained:

  • Proto: Protocol (TCP or UDP)
  • Local Address: Your computer's IP:Port
  • Foreign Address: Remote IP:Port (or 0.0.0.0:0 for listening)
  • State: Connection state (TCP only)
  • PID: Process ID of the owning process

Common Use Cases

  • Port conflict resolution: Identify which process is using a specific port.
  • Security monitoring: Spot unexpected connections or listening ports.
  • Performance analysis: Track active network connections per process.
  • Malware detection: Identify suspicious connections by PID, then check process in Task Manager.
  • Development debugging: Verify applications are listening on correct ports.
  • Network troubleshooting: Understand current network activity and connection states.

Prerequisites

  • Windows Command Prompt or PowerShell
  • No administrator rights required (advantage over netstat -b)
  • Available on all Windows versions

Connection States Explained

TCP States:

  • LISTENING: Port is open, waiting for incoming connections
  • ESTABLISHED: Active connection with data transfer
  • CLOSE_WAIT: Remote end closed connection, local process closing
  • TIME_WAIT: Connection closed, waiting to ensure remote received acknowledgment
  • SYN_SENT: Attempting to establish connection
  • SYN_RECEIVED: Connection request received, responding
  • FIN_WAIT_1/2: Connection closing, waiting for acknowledgment
  • CLOSED: Connection fully closed

UDP: No state shown (UDP is connectionless)

Finding Process Names

Method 1: Using tasklist

netstat -ano | findstr :80
tasklist | findstr 1234

Method 2: PowerShell one-liner

Get-Process -Id (Get-NetTCPConnection -LocalPort 80).OwningProcess

Method 3: Task Manager

  1. Note the PID from netstat output
  2. Open Task Manager
  3. Go to Details tab
  4. Find process by PID (add PID column if not visible)

Troubleshooting

  • "Port already in use" - Use netstat -ano | findstr :PORT_NUMBER to find which PID is using it.
  • PID 0 shown - System Idle Process or kernel-level networking.
  • PID 4 shown - System process (Windows kernel).
  • Can't find process in Task Manager - Process may have closed; refresh netstat output.
  • Too many TIME_WAIT - Normal after closing many connections; they'll timeout automatically.
  • High number of connections - Check PID in Task Manager to identify responsible application.

Common Filters and Examples

Find specific port:

netstat -ano | findstr :8080

Find all ESTABLISHED connections:

netstat -ano | findstr ESTABLISHED

Find all LISTENING ports:

netstat -ano | findstr LISTENING

Find connections for specific IP:

netstat -ano | findstr 192.168.1.50

Continuous monitoring:

netstat -ano 5

(Updates every 5 seconds; press Ctrl+C to stop)

Killing Processes by PID

Once you identify a problematic process:

taskkill /PID 1234 /F

Or in PowerShell:

Stop-Process -Id 1234 -Force

Warning: Only kill processes you recognize; system processes can cause instability.

Common PIDs and Their Meanings

  • PID 0: System Idle Process / Kernel
  • PID 4: System (Windows Kernel)
  • PID 8: Memory Compression (Windows 10+)
  • Higher PIDs: User applications and services

Comparing with netstat -b

netstat -ano (what we're discussing):

  • ✅ No admin rights required
  • ✅ Faster output
  • ✅ Shows PIDs directly
  • ❌ Doesn't show executable names
  • ❌ Shows IPs, not hostnames

netstat -b:

  • ❌ Requires admin rights
  • ❌ Slower (resolves executables and hostnames)
  • ✅ Shows executable names directly
  • ✅ Can show hostnames

PowerShell Alternatives

View TCP connections with process info:

Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess

Include process names:

Get-NetTCPConnection | ForEach-Object {
    $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        LocalAddress = $_.LocalAddress
        LocalPort = $_.LocalPort
        RemoteAddress = $_.RemoteAddress
        RemotePort = $_.RemotePort
        State = $_.State
        PID = $_.OwningProcess
        ProcessName = $proc.ProcessName
    }
} | Format-Table

Get UDP connections:

Get-NetUDPEndpoint

Monitoring for Security

Check for suspicious activity:

  1. Run netstat -ano regularly
  2. Look for unexpected LISTENING ports
  3. Check for connections to suspicious foreign IPs
  4. Cross-reference unknown PIDs in Task Manager
  5. Investigate unfamiliar process names

Red flags:

  • Unusual high-numbered ports listening
  • Connections to suspicious countries/IPs
  • Unknown processes with multiple connections
  • System processes (PID 4) with unusual network activity

Scripting Examples

Save with timestamp:

netstat -ano > netstat-%date:/=-%_%time::=-%.txt

Monitor specific port continuously:

@echo off
:loop
cls
echo Monitoring port 80...
netstat -ano | findstr :80
timeout /t 5
goto loop

Alert on new LISTENING ports (PowerShell):

$baseline = Get-NetTCPConnection -State Listen
while($true) {
    $current = Get-NetTCPConnection -State Listen
    $new = Compare-Object $baseline $current -Property LocalPort
    if($new) { Write-Host "New listening port detected!" }
    Start-Sleep -Seconds 10
}
  • netstat -b - Show executable names (requires admin)
  • netstat -r - Display routing table
  • tasklist - List all running processes
  • Get-NetTCPConnection (PowerShell) - PowerShell equivalent
  • TCPView (Sysinternals) - GUI tool for real-time connection monitoring
  • resmon.exe - Resource Monitor with network tab
  • Task Manager - View processes and their network activity