How to View Network Connections with NETSTAT in a Batch Script
Understanding the active network connections on a computer is a critical task for network troubleshooting, security auditing, and system diagnostics. You might need to check if a specific port is open and listening for connections, identify which program is communicating over the network, or simply get a snapshot of all active TCP/IP connections. The standard, built-in command-line utility for this is netstat.exe.
This guide will teach you how to use the netstat command to view network connections and listening ports. You will learn the most important command-line switches for generating script-friendly output and how to filter this output to find the specific information you need, such as the Process ID (PID) that is using a particular port.
The Core Command: netstat.exe
The netstat (network statistics) command is a powerful tool that displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, and more. For scripting, we are primarily interested in its ability to list active connections and listening ports.
Basic Example: A Simple Connection List
Running netstat with no arguments will list the active connections for the current user.
C:\> netstat
This shows the protocol (TCP), the local address and port, the foreign (remote) address and port, and the state of the connection.
Active Connections
Proto Local Address Foreign Address State
TCP 192.168.1.100:49753 server-a:https ESTABLISHED
TCP 192.168.1.100:49754 server-b:https ESTABLISHED
This output uses hostnames, which can be slow to resolve. For scripting, we want a faster, more predictable format.
The Most Useful Switches for Scripting: -ano
For automation and diagnostics, the most powerful combination of switches is -ano.
Command: netstat -ano
-a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.-n: Displays addresses and port numbers in numerical form. This is much faster as it avoids DNS lookups.-o: Displays the owning process ID (owner PID) associated with each connection. This is the key to linking a connection to an application.
The output, this is the "power user" view, showing everything you need for diagnostics.
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1024
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 192.168.1.100:49753 151.101.65.140:443 ESTABLISHED 8080
TCP [::]:3389 [::]:0 LISTENING 1600
Parsing netstat Output with FINDSTR
The full output of netstat -ano can be very long. The key to using it in a script is to filter it with findstr to find the exact line you need.
For example, find a specific port (let's check if anything is listening on the Remote Desktop port 3389):
netstat -ano | findstr ":3389"
For example, find all listening ports:
netstat -ano | findstr "LISTENING"
Key netstat Parameters Explained
| Switch | Description | Recommended for Scripts |
|---|---|---|
-a | Show all connections and listening ports. | Yes |
-n | Show numerical IPs and ports. | Essential. Much faster and more predictable. |
-o | Show the owning owner Process ID (PID). | Essential. Links a port to a process. |
-b | Show the executable name. Requires admin rights and is very slow. | Use with caution, as it can significantly slow down the command. |
-p <proto> | Show connections for a specific protocol (e.g., TCP, UDP). | netstat -anop TCP |
Common Pitfalls and How to Solve Them
-
Administrator Rights for
-b: The-bswitch (show executable) is incredibly useful, but it requires elevated privileges. If you runnetstat -anobas a standard user, you will see "The requested operation requires elevation" or "Can not obtain ownership information" for many processes. Solution: For a full report, you must run your script as an Administrator. -
Performance of
-b: Even when run as an administrator, the-bswitch is very slow becausenetstathas to look up the executable name for every single connection. Solution: Avoid using-bif you can. The standard, faster pattern is to usenetstat -anoto get the PID and then use a separatetasklistcommand to find the process name from the PID. This is shown in the example below. -
Firewall Status:
netstatonly tells you what is happening on the local machine. A port in theLISTENINGstate is not necessarily accessible from the network. The Windows Firewall is the ultimate gatekeeper. Solution:netstatis a listening check, not a firewall check. Usenetsh advfirewall firewall show ruleto audit firewall rules.
Practical Example: A Script to Find Which Process is Using a Port
This is the most common and useful script based on netstat. It takes a port number as an argument and tells you exactly which application is listening on that port.
@ECHO OFF
SETLOCAL
SET "PortToFind=%1"
IF "%PortToFind%"=="" (
ECHO [ERROR] Please provide a port number.
ECHO Usage: %~n0 445
GOTO :End
)
ECHO --- Searching for process using port %PortToFind% ---
ECHO.
SET "PID="
REM --- Find the PID from netstat ---
REM The 'tokens=5' gets the 5th column, which is the PID.
FOR /F "tokens=5" %%P IN ('netstat -ano ^| findstr ":%PortToFind%"') DO (
SET "PID=%%P"
)
IF NOT DEFINED PID (
ECHO [INFO] No process found using port %PortToFind%.
GOTO :End
)
ECHO Port %PortToFind% is being used by Process ID (PID): %PID%
ECHO.
REM --- Find the process name from the PID ---
ECHO Searching for process name...
FOR /F "tokens=1" %%N IN ('tasklist /FI "PID eq %PID%" /NH') DO (
SET "ProcessName=%%N"
)
IF DEFINED ProcessName (
ECHO Process Name: %ProcessName%
) ELSE (
ECHO Could not find a process name for PID %PID%.
)
:End
ENDLOCAL
Conclusion
The netstat command is the essential, built-in tool for inspecting live network connections on a Windows system.
For effective scripting:
- The
netstat -anocommand provides the most useful information in a script-friendly format. - Always use the
-nswitch to get numerical output, which is faster and more predictable. - Use the
-oswitch to get the Process ID (PID), which allows you to link network activity to a specific application. - Pipe the output to
findstrto filter the long list down to only the information you need. - For best results, especially when needing the executable name (
-b), run your script as an Administrator.