DelphiFAQ Home Search:
General :: Linux :: Network
Network setup and administration. Both from Windows and Linux angles.

Articles:

This list is sorted by recent document popularity (not total page views).
New documents will first appear at the bottom.

Featured Article

Determine which ports a specific process on Windows is using

Question:

I suspect that a newly installed application may be listening on some ports and act as a backdoor. How can I determine which ports a specific process on Windows is using?

Answer:

Windows does have the means to show you this. The following steps assume that your application is running on your computer and that you have Windows XP. Older Windows versions do not have all those tools e.g. the commandline task list tool and NETSTAT has not all the same parameters, but the steps are basically the same e.g. for Windows 2000.

The example inspects Yahoo Messenger (YPager.exe).


  1. Find out the process ID (PID) associated with your running application. You can use the task manager for that or from the command line:
    [c:\] tasklist | findstr YPager*

    This will show you the PID in the second column. (Try tasklist /fi "IMAGENAME eq YPager.exe" as an alternative; it will include the column headers.

  2. Now use the PID (in our example, it was 7200) and the NETSTAT tool.
    [c:\] netstat -ano | findstr 7200
       TCP    0.0.0.0:4161           0.0.0.0:0              LISTENING     7200
       TCP    0.0.0.0:5101           0.0.0.0:0              LISTENING     7200
       TCP    192.168.0.9:4161       216.155.193.165:5050   ESTABLISHED   7200
       UDP    127.0.0.1:4172         *:*                                  7200
     
  3. This means Yahoo Messenger is listening on ports 4161 and 5101 for all addresses of this machine. It has an established connection with 216.155.193.165. To find out who is behind this 216.155.193.165, use NSLOOKUP:
    nslookup 216.155.193.165
    Name:    cs38.msg.dcn.yahoo.com
     Address:  216.155.193.165
    I guess that is ok. You could also have tried netstat -a which shows you all connections, and with the IP numbers already resolved to names. Don't try this on a PC where Peer-to-Peer software (P2P) like edonkey, Kazaa or WinMX is running. You'll have to wait *very* long if your P2P system works as designed. :-)


If you need to do this kind of analysis a lot, you may want to check out a handy tool like TCPView - Freeware from Systernals. http://www.sysinternals.com/ntw2k/source/tcpview.shtml


Generated 20:00:38 on Jun 26, 2017