Find out which process/application is using which TCP/UDP port on Windows
Written by Colasoft
Wednesday, 26 January 2011 03:29 - Last Updated Thursday, 21 April 2011 05:33
During the process of analyzing a network problem with a network analyzer tool or a protocol
sniffer, especially when we find a suspicious worm or backdoor activity, we get only useful
information like MAC addresses, IP addresses and also the port number in transport layer. The
analyzer may not even know which application layer protocol is used, even it tells, we still need
to figure out which application and process is using this application layer protocol. Is there any
method that we can find out the original application or process using that TCP or UDP port? If
you are conducting an on-site analysis, Capsa can easily help find out which process is listening
on a port number. In this case, we are going to use a network sniffer, Process Explorer and
some DOS commands. Let’s see how.
1. Find out port number
2. Find out process ID
- netstat -aon | findstr :8000
-
Find out process or application
tasklist | findstr 3968
-
Kill process or application
taskkill /F /PID 3968
Find out TCP/UDP Port Number
For example, I spot in Capsa Free the following TCP connection suspicious, which constantly
communicates to IP: xx.xx.0.183, on port 8000. So I’m going to look up the process name using
this port.
1/5
Find out which process/application is using which TCP/UDP port on Windows
Written by Colasoft
Wednesday, 26 January 2011 03:29 - Last Updated Thursday, 21 April 2011 05:33
Find out process ID (PID)
At once I evoke Command Prompt, and entered the following string and hit enter.
netstat –aon | findstr :8000
Explanation:
-a: list all active connections and their ports.
–o: show process IDs.
2/5
Find out which process/application is using which TCP/UDP port on Windows
Written by Colasoft
Wednesday, 26 January 2011 03:29 - Last Updated Thursday, 21 April 2011 05:33
–n: display the port numbers numerically.
| findstr :8000: display only the items with string :8000 (findstr means find string). Don’t forget
the pipe symbol | at the beginning.
Let’s see what we get.
We can read in this case 3968 is the Process ID, and the source IP address and the target
address is the same as the first figure.
Find Process/Application
Next we’ll switch to another tool Process Explorer (a free tool that you can get from: http://tec
hnet.microsoft.com/en-us/sysinternals/bb896653
) immediately. And we can easily find out the process or application of this process ID: 3968.
3/5
Find out which process/application is using which TCP/UDP port on Windows
Written by Colasoft
Wednesday, 26 January 2011 03:29 - Last Updated Thursday, 21 April 2011 05:33
find
I’m
sure
this
PID
an
in
instant
Windows
messenger
Task
used
internal
ifasyou
don’t
ininformation
my
have
office
and
it’sExplorer
safe.toExplorer.
You
can also
try to if
Process
installed.
However
command
Task
prompt
Manager
islist
will
handy
notManager
provide
for
geeks.
much
as Process
And
tasklist
|it’s
findstr
3968
This
you
not
command
sure
about
will
| quite
findstr
only
parameter.
the
task
items
with
string
3968.
Please
refer
previous
command
Kill Process/Application
So next, you may want to kill a process when you find it’s malicious and want to end it at once?
If you are with Process Explorer, you just right-click on a process item and choose Kill Process
(Press Del button for short) to kill that process (you can do the same in Task Manager). Again,
you may run the following in Command Prompt:
taskkill /F /PID 3968
4/5
Find out which process/application is using which TCP/UDP port on Windows
Written by Colasoft
Wednesday, 26 January 2011 03:29 - Last Updated Thursday, 21 April 2011 05:33
Explanation:
/F: means force to kill the process or application. And I suppose you understand process ID so
far.
Now we successfully detect and target the suspicious process with the specific port number, no
matter UDP or TCP. And of course this procedure is reversible, you can find out the port
number from the process’s PID.
Recommended Resources:
If you are interested in trying the free network monitor tool mentioned in this post, you can
download it on: 5/5