In our previous article, How To Identify Unknown Processes In Windows we discovered how to identify and track down processes running on your Computer using Process Explorer.
Next, we'll look at how to identify Network connections, known as TCP/IP ports, and how to find out who is connecting to your Computer.
What Are TCP/IP Ports?
Webopedia defines TCP/IP Network ports as "an endpoint to a logical connection. The port number identifies what type of port it is. For example, port 80 is used for HTTP traffic."
Think of ports and port numbers as how services enter your house, such as your phone, where the port is the box outside your house that connects the wires from the street and phone company to your house, and port number is your phone number.
If you stood on your roof and look down at your house, you will see all services entering and leaving your house from utilities and other companies that supply electric, gas, cable, etc.
With Computers, you can also "look down" and see all the logical Network connections communicating with your computer, by using a tool called TCPView for Windows located at Microsoft TechNet Windows Sysinternals website. This tool is free and runs on Windows NT/2000/XP and Windows 98/Me. You can use TCPView on Windows 95 if you get the Windows 95 Winsock 2 Update from Microsoft.
Using TCPView
Once downloaded, unzip to a location on your PC and execute TCPview.exe. You should see a screen similar to this:
TCPview will show you a detailed listings of all TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) endpoints on your Computer, including the local and remote addresses and state of TCP connections. On Windows NT, 2000 and XP, TCPView also reports the name of the process that owns the endpoint.
The first column displays the Process name (on your Computer) and the Local Address column shows your Computer name and the port number your Computer is listening on, while the Remote Address column will display the remote Computer name (or IP Address if TCPview cannot resolve the IP address to it's Domain name) and the port number it is listening on.
As shown below, the Remote Address column is the key to who you are communicating and connected with.
In this case the Local Address is marklap Computer and it is connected to the Remote Address known as msgr-cs128.hotmail.com.
As described above, the Port makrlap is accepting the connection on is 2185 while msgr-cs128 is accepting the connection on 1863. So how do you know what kind of communications is going on between the two hosts?
If you do not recognize the Process name, you can look up the Remote Address Port information for a list of well known common ports or here for a detailed list of well known ports.
In this case we will need to look up port 1863 using the detailed list, which is MSNP, known as Windows Messenger (from Microsoft) which provides Online Chat and Instant Messenger service.
TIP: If you did not know what MSNP was, search Google, but be carefull when searching, since a lot of results could mis-lead the meaning and lure you into buying software you do not need. In this case, search at your Computer OS vendor web site for the information.
One of the reason I like TCPview is because it's provides real-time activity. You will notice when the Endpoints change state from one update to the next, it is highlighted in yellow. Those that are deleted are shown in red, and new endpoints are shown in green.
Another reason, is that you can right click on a Process that has a connection to a Remote Address, select properties and do a WhoIS lookup for the remote host, as well as select Process Properties to display the Path and Command line information for the Process. The number next to Process is the PID (Process Identifier) running on your PC. TCPview also gives you the capability to end a process or close a connection.
An example of a WhoIS lookup:
Example of a Process properties:
Other tools exist that can provide the same or more information as TCPview. With any tool you use, it is important that you understand what the data means and use the information to determine exactly who is connecting to you.
Armed with this knowledge, you can quickly identify unknown Network connections and never again wonder who is reaching into your Computer.