How to Find Listening Ports with Netstat and PowerShell

Published:7 April 2021 - 4 min. read

Anthony Metcalf Image

Anthony Metcalf

Read more tutorials by Anthony Metcalf!

Connections between applications work much like conversations between humans. The conversation is started by someone speaking. If no one is listening, then the conversation doesn’t get far. How do you know who’s listening on a Windows PC? The Netstat command-line utility and the PowerShell Get-NetTCPConnection cmdlet.

Not a reader? Watch this related video tutorial!
Not seeing the video? Make sure your ad blocker is disabled.

In this tutorial, you will learn how to inspect listening ports and established TCP connections on your Windows computer with Netstat and the native PowerShell command Get-NetTCPConnection.

Prerequisites

If you’d like to follow along with examples in this tutorial, be sure you have:

  • A Windows PC. Any version will do. This tutorial is using Windows 10 Build 21343.1
  • PowerShell. Both Windows PowerShell and PowerShell 6+ should work. This tutorial us using PowerShell v7.2.0-preview.2

Using Netstat to Find Active and Listening Ports

Netstat is one of those command-line utilities that seems like it’s been around forever. It’s been a reliable command-line utility to inspect local network connections for a long time. Let’s check out how to use it to find listening and established network connections.

Netstat has many different parameters. This tutorial will only use three of them. To learn more about what netstat can do, run netstat /?.

Assuming you’re on a Windows PC:

1. Open up an elevated command prompt (cmd.exe).

2. Run netstat -a to find all of the listening and established connections on the PC. By default, netstat only returns listening ports. Using the -a parameter tells netstat to return listening and established connections.

Run the Netstat -a
Run the Netstat -a

The output above is broken out into four columns:

  • Proto – shows either UDP or TCP to indicate the type of protocol used.
  • Local Address – shows the local IP address and port that is listening. For many services, this will be 0.0.0.0 for the IP part, meaning it is listening on all network interfaces. In some cases, a service will only listen on a single Network Interface (NIC). In that case, netstat will show the IP address of the NIC. A colon separates the IP address from the port that it is listening on.
  • Foreign Address – shows the remote IP address the local connection is communicating with. If the Foreign Address is 0.0.0.0:0, the connection is listening for all IPs and all ports. For established connections, the IP of the client machine will be shown.
  • State – shows the state the port is in, usually this will be LISTENING or ESTABLISHED.

3. Now run netstat -an. You should now see that any names in the output have been turned into IP addresses. By default, netstat attempts to resolve many IP addresses to names.

run netstat -an
run netstat -an

4. Finally, perhaps you’d like to know the Windows processes that are listening or have these connections open. To find that, use the -b switch.

Using the -b switch requires an elevated command prompt or PowerShell prompt. You will get the error The requested operation requires elevation if you use the -b switch in a non-elevated prompt.

netstat -anb
netstat -anb

Using PowerShell to Find Active and Listening Ports

Now that you’ve got a chance to see how the old-school netstat utility shows active and listening ports, let’s see how to do it in PowerShell.

Using PowerShell gives you a lot more control to see just what you want, rather than having to scroll through long lists of output. The Get-NetTCPConnection cmdlet is much more specific than netstat about what you want to see.

This tutorial isn’t going to cover all of the parameters that come with the Get-NetTCPConnection cmdlet. If you’re curious, run Get-Help Get-NetTCPConnection -Detailed to discover more examples.

On your Windows PC:

1. Open up a PowerShell console as administrator.

The only reason you need to elevate a PowerShell console is to see the program that owns the connection (like the netstat -b parameter).

2. Run Get-NetTcpConnection. You’ll see output similar to what netstat provided. Instead of just a big string of output, Get-NetTcpConnection returns a list of PowerShell objects.

You can now see the same general information that netstat provided you by now; by default, you have information on the OwningProcess (the -b switch on netstat) and the AppliedSetting field, which relates to the network profile the connection is a part of.

Unlike netstat, the Get-NetTCPConnection cmdlet will now show listening UDP connections.

Get-NetTCPConnection
Get-NetTCPConnection

3. Pipe the output to Select-Object showing all properties. You’ll see PowerShell returns a lot more information that netstat did.

Get-NetTCPConnection | Select-Object -Property *
Pipe the output to Select-Object
Pipe the output to Select-Object

4. Now, narrow down the output to just listening ports.

Get-NetTCPConnection -State Listen
narrow down the output
narrow down the output

5. Now, find the process names for the OwningProcess fields. To do that, run the Get-Process cmdlet and provide the process ID as shown below.

Get-Process -Id 692
Get-Process cmdlet
Get-Process cmdlet

If you’d like to create another property for the process name, you could optionally use a Select-Object calculated field.

Get-NetTCPConnection | Select-Object -Property *,@{'Name' = 'ProcessName';'Expression'={(Get-Process -Id $_.OwningProcess).Name}}

6. Narrow down the states to a bit more by finding Listening and Established states by defining the State parameter value as a comma-delimited list.

Get-NetTCPConnection -State Listen,Established

7. Finally, limit the connections down by the port the connection is connected to with the RemotePort parameter.

Use the LocalPort parameter to filter connections by local port. Get-NetTCPConnection -RemotePort 443

Get-NetTCPConnection -RemotePort 443
RemotePort parameter
RemotePort parameter

Conclusion

You have now seen how the Netstat utility and the Get-NetTCPConnection PowerShell cmdlet help you find local network connections.

Now that you can show the processes running on a server combine this with the Test-NetConnection PowerShell cmdlet to get an end-to-end view of connectivity between a client and server.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!