Back to docs
Tools - NetworkUpdated: November 23, 2024

netstat -bq

See which apps are using network connections and listening ports.

netstat -bq

Command: netstat -bq

Category: Network

Type: CMD-Admin

Purpose

Displays all active network connections and listening ports, along with the executable programs (binaries) responsible for each connection. The -b parameter shows the executable name, while -q provides a quick listing format. Requires administrator privileges.

Quick Summary

See exactly which programs are using the network and which ports they're listening on. Essential for identifying bandwidth hogs, spotting suspicious network activity, troubleshooting connection issues, and understanding your system's network behavior. Combines connection information with the responsible process names.

How to Use

  1. Open Command Prompt as Administrator.
  2. Type netstat -bq and press Enter.
  3. View the list of connections with associated executable names.

Note: The command may take a few seconds to gather all information.

Tips and Best Practices

  • Always run as Administrator - Required for -b parameter to show executable names.
  • Use netstat -bqn to show IP addresses instead of resolving hostnames (faster).
  • Use netstat -bqa to include listening ports (not just active connections).
  • Pipe to more for easier reading: netstat -bq | more
  • Save output to file for analysis: netstat -bq > connections.txt
  • Look for unfamiliar executables that may indicate malware or unwanted software.
  • Monitor regularly to establish baseline of normal network activity.

Common Parameter Combinations

Show all connections with executables:

netstat -ab

Quick format without resolution (fastest):

netstat -bqn

Show all including listening ports:

netstat -bqa

Continuous monitoring (refresh every 5 seconds):

netstat -bq 5

Show with process ID:

netstat -bqo

Understanding the Output

Columns:

  • Proto: Protocol (TCP or UDP)
  • Local Address: Your computer's IP and port (or hostname:port)
  • Foreign Address: Remote IP and port you're connected to
  • State: Connection state (ESTABLISHED, LISTENING, TIME_WAIT, etc.)
  • Executable: Name of the program using the connection (appears in brackets)

Example output:

TCP    192.168.1.100:54321    172.217.1.46:443    ESTABLISHED
[chrome.exe]

TCP    0.0.0.0:135           0.0.0.0:0           LISTENING
[svchost.exe]

Common Use Cases

  • Security auditing: Identify suspicious or unauthorized network connections.
  • Malware detection: Spot unexpected programs connecting to the internet.
  • Bandwidth troubleshooting: Find which application is consuming network bandwidth.
  • Port conflicts: Identify which program is using a specific port.
  • Connection debugging: Verify that applications are connecting to correct endpoints.
  • Firewall configuration: Determine which programs need firewall rules.

Prerequisites

  • Administrator rights required (for -b parameter to show executable names)
  • Windows Command Prompt or PowerShell
  • Available on all Windows versions

Connection States Explained

  • ESTABLISHED: Active connection with data transfer
  • LISTENING: Port is open and waiting for connections
  • CLOSE_WAIT: Remote side closed connection, local side closing
  • TIME_WAIT: Connection closed, waiting for remaining packets
  • SYN_SENT: Attempting to establish connection
  • SYN_RECEIVED: Connection request received, establishing
  • FIN_WAIT_1/2: Connection is closing

Troubleshooting

  • "Access denied" - Must run Command Prompt as Administrator for -b parameter.
  • "The requested operation requires elevation" - Same as above; run as Admin.
  • Very slow output - Add -n parameter to skip hostname resolution: netstat -bqn
  • Too much output - Filter with findstr: netstat -bq | findstr "chrome"
  • Can't find specific program - Program may not be actively connected; use -a to see listening ports too.
  • Port shown but no program - May be a system process; use -o to see PID and check Task Manager.

Filtering and Searching

Find connections for specific program:

netstat -bq | findstr /i "chrome"

Find what's using specific port:

netstat -bqn | findstr ":80 "

Show only ESTABLISHED connections:

netstat -bq | findstr "ESTABLISHED"

Show only LISTENING ports:

netstat -bqa | findstr "LISTENING"

Security Monitoring

Red flags to watch for:

  • Unknown executables with active connections
  • Connections to suspicious IP addresses or countries
  • Unexpected listening ports (especially low numbered ports)
  • Multiple connections from system processes to internet
  • Connections from system folders you don't recognize

Common legitimate connections:

  • chrome.exe, firefox.exe - Web browsers
  • svchost.exe - Windows services (many instances normal)
  • explorer.exe - Windows Explorer (occasional updates)
  • OneDrive.exe - Cloud sync service
  • Teams.exe, slack.exe - Communication apps

Alternative Commands

PowerShell equivalent with more detail:

Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess

Show process names in PowerShell:

Get-NetTCPConnection | ForEach-Object {
    $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        LocalAddress = $_.LocalAddress
        LocalPort = $_.LocalPort
        RemoteAddress = $_.RemoteAddress
        RemotePort = $_.RemotePort
        State = $_.State
        ProcessName = $proc.ProcessName
    }
}

Resource Monitor (GUI alternative):

resmon.exe

Then go to Network tab for visual representation.

  • netstat -ano - Show connections with process IDs (no executable names)
  • tasklist - List all running processes
  • TCPView - Sysinternals tool with GUI for real-time connection monitoring
  • resmon.exe - Resource Monitor with network tab
  • wireshark - Advanced packet capture and analysis
  • Windows Firewall - Control which programs can access network