← Back to Blog

netstat on Mac: The Complete Guide

How to use netstat on macOS to see ports, connections, routing, and network stats, plus why macOS netstat can't show process names and what to use instead.

netstat is one of the oldest network tools on a Mac, and one of the most misunderstood, because the macOS version behaves differently from the Linux version people usually copy commands from. Here’s how it actually works on macOS, what it’s good at, and where it falls short.

The most important thing to know first

macOS netstat is the BSD version, not the Linux (GNU) one. The single biggest consequence: macOS netstat does not show process names or PIDs. The Linux trick everyone pastes, netstat -tulpn, does not work on a Mac. The -p flag means something completely different here (it selects a protocol, not “show process”).

So if your goal is “which app is using this port,” netstat alone can’t answer it on macOS. You’ll need lsof for that, covered below.

List listening ports

The closest macOS equivalent to the classic “show me what’s listening”:

netstat -an | grep LISTEN

Sample output:

tcp4   0   0  *.3000        *.*        LISTEN
tcp4   0   0  127.0.0.1.5432  *.*      LISTEN
tcp6   0   0  *.8080        *.*        LISTEN

Flag breakdown:

  • -a: show all sockets, including listening ones
  • -n: show numeric addresses and ports (don’t resolve names, much faster)

Add a protocol filter to cut the noise:

# TCP only
netstat -an -p tcp | grep LISTEN

# UDP only
netstat -an -p udp

Here -p selects the protocol, this is the macOS meaning, not the Linux “process” meaning.

See all active connections

Drop the grep to see established connections too, not just listeners:

netstat -an -p tcp

The State column tells you what each connection is doing: LISTEN, ESTABLISHED, TIME_WAIT, CLOSE_WAIT, and so on.

Other things netstat is genuinely good at

Where macOS netstat shines is the network-level views that lsof doesn’t give you:

Routing table (which interface traffic takes):

netstat -rn

Per-interface statistics (packets in/out, errors, drops):

netstat -i

Protocol statistics (TCP retransmits, UDP errors, etc.):

netstat -s

# Just TCP stats
netstat -sp tcp

These are the commands worth keeping netstat around for. For “what’s listening and who owns it,” there are better tools.

What netstat can’t do: name the process

This is the wall everyone hits. netstat shows that something is listening on port 3000, but not what. To get the process name and PID on macOS, use lsof:

sudo lsof -iTCP -sTCP:LISTEN -n -P

COMMAND   PID   USER   ...  NODE NAME
node     1421  aaron   ...  TCP *:3000 (LISTEN)
postgres 1803  aaron   ...  TCP 127.0.0.1:5432 (LISTEN)

Now you can see node owns port 3000. For a specific port:

sudo lsof -i :3000 -n -P

See how to list open ports on Mac for the full lsof walkthrough, and which app is using a port if that’s all you need.

Quick reference

GoalCommand
Listening portsnetstat -an | grep LISTEN
All TCP connectionsnetstat -an -p tcp
Routing tablenetstat -rn
Interface statsnetstat -i
Protocol statsnetstat -s
Which process owns a portsudo lsof -i :PORT -n -P

Skip the flags entirely

If you mostly reach for netstat to answer “what’s open and who owns it,” Portie does that without any command at all. It shows every open TCP and UDP port on your Mac, the owning app, the protocol, and the connection state, in one live table that refreshes every 3 seconds, the process names netstat can’t give you, right there in the list.

Local monitoring is free. The $8.99 one-time unlock adds one-click process termination and remote port scanning. Download Portie and leave the netstat flags behind.

Try Portie Free

See every open port on your Mac, which app owns it, and kill processes from the list.

Download Free