See what process is using a TCP port
Tuesday, November 04, 2008 02:08 PM
Windows admins may have to track down errant processes and then match that to network traffic. Here are scripts that aid in the connectivity forensics at the port and process level.
You may find yourself frequently going to network tools to determine traffic patterns from one server to another; Windows Server 2008 (and earlier versions of Windows Server) can allow you to get that information locally on its connections.
You can combine the netstat and tasklist commands to determine what process is using a port on the Windows Server.
The following command will show what network traffic is in use at the port level:
Netstat -a -n -o
The -o parameter will display the associated process identifier (PID) using the port. This command will produce an output similar to what is in Figure A.
Figure A
With the PIDs listed in the netstat output, you can follow up with the Windows Task Manager (taskmgr.exe) or run a script with a specific PID that is using a port from the previous step. You can then use the tasklist command with the specific PID that corresponds to a port in question.
From the previous example, ports 5800 and 5900 are used by PID 1812, so using the tasklist command will show you the process using the ports. Figure B shows this query.
Figure B
This identifies VNC as the culprit to using the port. While a quick Google search on ports could possibly obtain the same result, this procedure can be extremely helpful when you're trying to identify a viral process that may be running on the Windows Server.
There are currently no comments for this post.