How to Use the Netstat Command on Mac

See open ports and those in use

The netstat command in macOS is a Terminal command that displays detailed information about your computer's network communications. The network communications include all the ways your Mac is talking to the outside world, across all ports and all applications. Conquering netstat can help you understand the connections your computer is making and why.

Running Netstat

The netstat command is available on Macs by default. You don't need to download or install it.

To run netstat, open a Terminal window at Applications > Utilities > Terminal. Type netstat and press Enter to execute the command.

using netstat on mac to find ports
 wakila / Getty Images 

A huge amount of text will begin scrolling on your screen. If you don't use any of the available flags (see below), netstat will report all of the active network connections on your Mac. Considering the number of functions a modern network device performs, you can expect the list to be lengthy. A standard report can run well over 1000 lines.

Filtering netstat's output is essential to understanding what's happening on your Mac's active ports. Its built-in flags allow you to set options, limiting the command's scope.

Netstat Flags and Options

To see all of netstat's available options, type man netstat at the command prompt to reveal netstat's man page. You can also view an online version of netstat's man page.

"Man" is short for "manual."

Syntax

To add flags and options to netstat, use the following syntax:

netstat [-AabdgiLlmnqrRsSvWx] [-c queue] [-f address_family] [-I interface] [-p protocol] [-w wait]

Netstat on macOS does not work the same way as netstat on Windows and Linux. Using flags or syntax from those implementations of netstat may not result in the expected behavior.

If the above shorthand looks completely incomprehensible, learn how to read command syntax.

Useful Flags

Here are some of the most commonly used flags:

  • -a includes server ports in netstat's output, which are not included in the default output.
  • -g displays information associated with multicast connections.
  • -I interface provides packet data for the specified interface. All available interfaces can be viewed with the -i flag, but en0 is typically the default outgoing network interface. (Note the lowercase letter.)
  • -n suppresses the labeled of remote addresses with names. This dramatically speeds up netstat's output while sacrificing only limited information.
  • -p protocol lists traffic associated with a specific networking protocol. The full list of protocols is available at /etc/protocols, but the most important ones are udp and tcp.
  • -r displays the routing table, showing how packets are routed around the network.
  • -s shows the network statistics for all protocols, whether or not they are active.
  • -v increases verbosity, specifically by adding a column showing the process ID (PID) associated with each open port.

Netstat Examples

Consider these examples:

netstat -apv TCP

This command returns only TCP connections on your Mac, including open ports and active ports. It also uses verbose output, listing the PIDs associated with each connection.

netstat -a | grep -i "listen"

This combination of netstat and grep reveals open ports—ports that are listening for a message. The pipe character | sends the output of one command to another command. Here, the output of netstat pipes to grep, letting you search it for the keyword "listen" and find the results.

Accessing Netstat Through Network Utility

You also can access some of netstat's functionality through the Network Utility app at System > Library > CoreServices > Applications.

Click the Netstat tab to access the graphical interface.

The Netstat tab in Network Utility

Options within Network Utility are far more limited than those available through the command line. Each of the four radio button selections run a preset netstat command and displays the output.

The netstat commands for each radio button are as follows:

  • Display routing table information runs netstat -r.
  • Display comprehensive network statistics for each protocol runs netstat -s.
  • Display multicast information runs netstat -g.
  • Display the state of all current socket connections runs netstat.
Network Utility > Netstat

Supplementing Netstat With Lsof

The macOS implementation of netstat doesn't include much of the functionality users expect and need. Although it has its uses, netstat isn't as useful on macOS as it is on Windows. A different command, lsof, replaces much of the missing functionality.

Lsof displays any files currently open in any apps. You can also use it to inspect app-associated open ports. Run lsof -i, and you'll see a list of all the applications communicating over the internet. This is typically the goal when using netstat on Windows machines; however, the only meaningful way to accomplish that task on macOS is not with netstat, but with lsof.

Lsof output

Lsof Flags and Options

Displaying every single open file or internet connection is typically verbose. That's why lsof comes with flags for restricting results with specific criteria. The most important ones are below.

For information on more flags and technical explanations of each, check out lsof's man page or run man lsof at a Terminal prompt.

  • -i displays all open network connections and the name of the process that is using the connection. Adding a 4, as in -i4, will display only IPv4 connections. Adding a 6 instead (-i6) will display only IPv6 connections.
  • The -i flag also can be expanded to specify further details. -iTCP or -iUDP will return only TCP and UDP connections. -iTCP:25 will return only TCP connections on port 25. A range of ports can be specified with a dash, as it -iTCP:25-50.
  • Using -i@1.2.3.4 will return only connections to the IPv4 address 1.2.3.4. IPv6 addresses can be specified in the same fashion. The @ precursor can also be used to specify hostnames in the same way, but both remote IP addresses and hostnames cannot be used simultaneously.
  • -s typically forces lsof to display file size. But when paired with the -i flag, -s works differently. Instead, it allows the user to specify the protocol and status for the command to return.
  • -p restricts lsof to a particular process ID (PID). Multiple PIDs can be set by using commons, such as -p 123,456,789. Process IDs can also be excluded with a ^, as in 123,^456, which would specifically exclude PID 456.
  • -P disables the conversion of port numbers to port names, speeding up output.
  • -n disables the conversion of network numbers to host names. When used with -P above, it can significantly speed up lsof's output.
  • -u user only returns commands owned by the named user.

lsof Examples

Here are a few ways to use lsof .

lsof -nP -iTCP@lsof.itap:513

This complex-looking command lists all the TCP connections with the hostname lsof.itap and the port 513. It also runs lsof without connecting names to IP addresses and ports, making the command run noticeably faster.

lsof -iTCP -sTCP:LISTEN

This command returns every TCP connection with the status LISTEN, revealing all the open TCP ports on your Mac. It also lists the processes associated with those open ports. This is a significant upgrade over netstat, which lists PIDs at most.

Lsof listen command
sudo lsof -i -u^$(whoami)

This command returns all connections not owned by the currently logged-in user.

The caret (^) is for negation. Results won't include anything matching the text after the caret. You can get the name of the currently logged-in user by running whoami inside the lsof command, surrounded by $() to let lsof access its output as text. Running with sudo lets you see tasks not owned by you. Running this command without sudo returns an empty list.

Whoami command in Terminal

Other Networking Commands

Other Terminal networking commands that might be of interest in examining your network include arp, ping, and ipconfig.