How to Use the Netstat Command on Mac

Small characters plugging an ethernet cable into a network card.

The netstat command on macOS is a Terminal command used to display detailed information about your Mac's network communications. The network communications include all the ways your Mac is talking to the outside world, across all ports and all applications. After mastering netstat, Mac users can quickly understand what connections their computer is making and why.

Running Netstat

The netstat command is available on Macs by default. It does not need to be downloaded or installed.

To run netstat, open a Terminal window. If you're not familiar with Terminal, it's found at /Applications/Utilities/Terminal.app. Type netstat and press Enter to execute the command.

You'll notice a huge amount of cryptic text will begin scrolling by on your screen. This is normal and expected. Without any additional options, netstat will report all the active network connections on your Mac. Considering the number of functions a modern network device performs, you can expect the list to be lengthy. A standard netstat report can run well over 1000 lines.

Filtering netstat's output is essential to understanding what's happening on your Mac active ports. You can filter netstat's output with the built-in flags. These flags allow you to set options, limiting netstat's scope and output.

Netstat Flags and Options

To see all of netstat's available options, type man netstat at the command prompt. This will reveal netstat's man page. You can also view an online version of the netstat man page.

netstat [-AabdgiLlmnqrRsSvWx] [-c queue] [-f address_family] [-I interface] [-p protocol] [-w wait]

Netstat on macOS does not work the same way as netstat on Windows or netstat on Linux. Using flags or syntax from those implementations of netstat may not result in the expected behavior.

Tip: If the above shorthand looks completely incomprehensible, learn how to read command syntax.

-r displays the routing table, showing how packets are routed around the network.

-p protocol lists traffic associated with a specific networking protocol. While the full list of protocols can be found at /etc/protocols, the more important ones are udp and tcp.

-v increases verbosity, specifically by adding a column showing the process ID (PID) associated with each open port.

-I interface provides packet data for the specified interface. All available interfaces can be viewed with the -i flag, but en0 is typically the default outgoing network interface. Note the lower case letter.

-g displays information associated with multicast connections.

-s shows the network statistics for all protocols, whether or not they are active.

-n suppresses the labeled of remote addresses with names. This dramatically speeds up netstat's output while sacrificing only limited information.

-a includes server ports in netstat's output, which are not included in the default output.

Netstat Examples

To put our understanding into practice, let's look at some netstat examples.

netstat -apv TCP

This command will only return TCP connections on your Mac, including open ports and active ports. It will also use verbose output, listing the PIDs associated with each connection.

netstat -a | grep -i "listen"

This combination of netstat and grep will reveal open ports on your Mac. Open ports are ports that are listening for a message. If you're not familiar with the syntax, the pipe character | is used to send the output of one command to another command. We pipe the output of netstat to grep, allowing us to search it for the keyword "listen" and find our results.

Accessing netstat through Network Utility

In addition to full-featured use through the Terminal command-line interface, some of netstat's functionality is also accessible through the Network Utility app. This built-in macOS app can be found at /Applications/Utilities/Network Utility.app. Open the app and click on the Netstat tab to access the graphical interface for netstat.

Options within Network Utility are clearly far more limited than those available through the command line. The four radio button selections simply run a preset netstat command and display the output on the screen below.

The netstat commands for each radio button are as follow:

  • Display routing table information runs netstat -r
  • Display comprehensive network statistics for each protocol runs netstat -s
  • Display multicast information runs netstat -g
  • Display the state of all current socket connections runs netstat

Supplementing netstat with lsof

The fact is that the macOS implementation of netstat doesn't include much of the functionality users expect and need. While it has its uses, netstat isn't nearly as useful on macOS as it is on Windows. A different command, lsof, can replace much of the missing functionality.

lsof displays any files currently open by any apps. This can also be used to inspect open ports associated with apps. Run lsof -i, and you'll see a list of all the applications communicating over the internet. This is typically the goal when using netstat on Windows machines. However, the only meaningful way to accomplish that task on macOS is not with netstat, but with lsof.

Displaying every single open file or internet connection is often overwhelmingly verbose. That's why lsof comes with a number of flags for restricting results with specific criteria. There are many useful flags that expand the command's utility. The most important ones are below. For additional reading, including more flags and technical explanations of each flag's implementation, check out lsof's man page or run man lsof at a Terminal prompt.

lsof flags and options

-i displays all open network connections and the name of the process that is using the connection. Adding a 4, as in -i4, will display only IPv4 connections. Adding a 6 instead (-i6) will display only IPv6 connections.

The -i flag can also be expanded to specify further details. -iTCP or -iUDP will only return TCP and UDP connections. -iTCP:25 will only return TCP connections on port 25. A range of ports can be specified with a dash, as it -iTCP:25-50.

Using -i@1.2.3.4 will return only connections to the IPv4 address 1.2.3.4. IPv6 addresses can be specified in the same fashion. The @ precursor can also be used to specify hostnames in the same way, but both remote IP addresses and hostnames cannot be used simultaneously.

-s typically forces lsof to display file size. But when paired with the -i flag, -s works differently. Instead, it allows the user to specify the protocol and status for the command to return.

-p restricts lsof to a particular process ID (PID). Multiple PIDs can be set by using commons, such as -p 123,456,789. Process IDs can also be excluded with a ^, as in 123,^456, which would specifically exclude PID 456.

-P disables the conversion of port numbers to port names, speeding up output.

-n disables the conversion of network numbers to host names. When used with -P above, it can significantly speed up lsof's output.

-u user only returns commands owned by the named user.

lsof examples

Like netstat, seeing some examples of lsof will help practice our understanding.

lsof -nP -iTCP@lsof.itap:513

This complex looking command will list all the TCP connections with the hostname lsof.itap and the port 513. It will also run lsof without connecting names to IP addresses and ports, making the command run noticeably faster.

lsof -iTCP -sTCP:LISTEN

This will return every TCP connection with the status LISTEN. This reveals all the open TCP ports on your Mac. It also lists the processes associated with those open ports. This is a significant upgrade over netstat, which lists PIDs at most.

sudo lsof -i -u^$(whoami)

Returns all connections not owned by the currently logged-in user. This command is a little different from the others, so we will break it down in detail.

The caret ^ is used for negation. Anything matching the text after the caret will be removed from the results. We get the name of the currently logged in user by running whoami inside the lsof command, surrounded by $() to let lsof access its output as text. Running with sudo allows you to see tasks not owned by yourself. Running this command without sudo will return an empty list.

Other Networking Commands

Other Terminal networking commands that might be of interest in examining your network include arp, ping, and ipconfig.