Colasoft Knowledge Base How to Find out which process/application is using which TCP/UDP port on Windows

Find out which process/application is using which TCP/UDP port on Windows

E-mail Print PDF

During the process of analyzing a network problem with a network analyzer tool or a protocol sniffer, especially when we find a suspicious worm or backdoor activity, we get only useful information like MAC addresses, IP addresses and also the port number in transport layer. The analyzer may not even know which application layer protocol is used, even it tells, we still need to figure out which application and process is using this application layer protocol. Is there any method that we can find out the original application or process using that TCP or UDP port? If you are conducting an on-site analysis, Capsa can easily help find out which process is listening on a port number. In this case, we are going to use a network sniffer, Process Explorer and some DOS commands. Let’s see how.

  1. Find out port number
  2. Find out process ID
  3. Find out process or application
  4. Kill process or application

Find out TCP/UDP Port Number

For example, I spot in Capsa Free the following TCP connection suspicious, which constantly communicates to IP: xx.xx.0.183, on port 8000. So I’m going to look up the process name using this port.

A suspicious port spotted in network analyzer

Find out process ID (PID)

At once I evoke Command Prompt, and entered the following string and hit enter.

netstat –aon | findstr :8000

Explanation:

-a: list all active connections and their ports.

–o: show process IDs.

–n: display the port numbers numerically.

| findstr :8000: display only the items with string :8000 (findstr means find string). Don’t forget the pipe symbol | at the beginning.

Let’s see what we get.

Find PID with dos command netstat -aon

We can read in this case 3968 is the Process ID, and the source IP address and the target address is the same as the first figure.

Find Process/Application

Next we’ll switch to another tool Process Explorer (a free tool that you can get from: http://technet.microsoft.com/en-us/sysinternals/bb896653) immediately. And we can easily find out the process or application of this process ID: 3968.

Find process or application with PID in Process Exploerer - Sysinternals

I’m sure it’s an instant messenger used internal in my office and it’s safe. You can also try to find this PID in Windows Task Manager if you don’t have Process Explorer installed.

However Task Manager will not provide as much information as Process Explorer. And command prompt is quite handy for geeks.

tasklist | findstr 3968

This command will list only the task items with string 3968. Please refer to previous command if you not sure about | findstr parameter.

Kill Process/Application

So next, you may want to kill a process when you find it’s malicious and want to end it at once? If you are with Process Explorer, you just right-click on a process item and choose Kill Process (Press Del button for short) to kill that process (you can do the same in Task Manager). Again, you may run the following in Command Prompt:

taskkill /F /PID 3968

Explanation:

/F: means force to kill the process or application. And I suppose you understand process ID so far.

Now we successfully detect and target the suspicious process with the specific port number, no matter UDP or TCP. And of course this procedure is reversible, you can find out the port number from the process’s PID.

 

Recommended Resources:

If you are interested in trying the free network monitor tool mentioned in this post, you can download it on: Download Capsa Free

Last Updated on Thursday, 21 April 2011 05:33  

Add comment


Security code
Refresh