Use também a opção -b
:
-b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.
exemplo:
$netstat -ab Active Connections Proto Local Address Foreign Address State PID TCP john:epmap john:0 LISTENING 1404 c:\windows\system32\WS2_32.dll C:\WINDOWS\system32\RPCRT4.dll c:\windows\system32\rpcss.dll C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ADVAPI32.dll [svchost.exe] TCP john:3150 18-24-50-20.rdsnet.ro:50087 SYN_SENT 392 [deluged.exe] TCP john:3155 ool-18d24.static.optonline.net:20170 SYN_SENT 392 [deluged.exe] TCP john:3157 69-62-57-59-adsl-tan.dynamic.so-net.net.tw:10365 SYN_SENT 392 [deluged.exe]