View TCP connections used by process


To achieve our goal we will use TCPVIEW and TCPVCON from Sysinternals Suite.

You can download and read more about it here http://technet.microsoft.com/en-us/sysinternals/bb897437

Type C:\tcpvcon -a -c firefox from comannd prompt

C:\tcpvcon -a -c firefox
TCPView v2.52 - TCP/UDP endpoint viewer
Copyright (C) 1998-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP,firefox.exe,5896,ESTABLISHED,%computername%:49243,localhost:49244
TCP,firefox.exe,5896,ESTABLISHED,%computername%:49244,localhost:49243
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53511,ec2-204-236-232-112.compute-1.amazonaws.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53518,beta.sapo.pt:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53527,pub.sapo.pt:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53528,pub.sapo.pt:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53529,pub.sapo.pt:http
TCP,firefox.exe,5896,SYN_SENT,%computername%:53530,pub.sapo.pt:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53531,cust-219-81-122.static.bezeqint.net:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53534,213.13.145.59:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53538,linkedin-ela4.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53539,linkedin-ela4.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53540,mad01s09-in-f27.1e100.net:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53543,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53544,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53545,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53546,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53547,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53548,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53549,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53550,195.8.11.161:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53551,195.8.11.161:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53552,195.8.11.161:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53553,195.8.11.161:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53555,82.199.80.141:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53556,74.112.184.66:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53557,74.112.184.66:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53558,74.112.184.66:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53559,mad01s09-in-f17.1e100.net:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53560,74.112.184.194:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53561,74.112.184.194:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53562,74.112.184.194:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53563,195.8.11.154:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53564,ec2-107-21-204-24.compute-1.amazonaws.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53565,mad01s09-in-f20.1e100.net:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53566,ec2-23-21-167-189.compute-1.amazonaws.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53567,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53568,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53569,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,ESTABLISHED,%computername%:53570,a92-123-81-244.deploy.akamaitechnologies.com:http
TCP,firefox.exe,5896,SYN_SENT,%computername%:53571,138.108.7.20:http
TCP,firefox.exe,5896,SYN_SENT,%computername%:53572,123.104.233.72.static.reverse.ltdomains.com:http

We also can see TCP connections to specific process using tcpview GUI.

Export data to txt file to analyse in the future, the output of the file will be something like this:

firefox.exe:5896    TCP    %computername%:49243    localhost:49244    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:49244    localhost:49243    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53538    linkedin-ela4.com:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53539    linkedin-ela4.com:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53540    mad01s09-in-f27.1e100.net:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53544    a92-123-81-244.deploy.akamaitechnologies.com:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53549    a92-123-81-244.deploy.akamaitechnologies.com:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53550    195.8.11.161:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53551    195.8.11.161:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53552    195.8.11.161:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53553    195.8.11.161:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53559    mad01s09-in-f17.1e100.net:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53563    195.8.11.154:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53567    a92-123-81-244.deploy.akamaitechnologies.com:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53568    a92-123-81-244.deploy.akamaitechnologies.com:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53574    195.8.11.168:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53576    mad01s09-in-f17.1e100.net:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53577    mad01s09-in-f17.1e100.net:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53578    mad01s09-in-f17.1e100.net:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53579    mad01s09-in-f17.1e100.net:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53580    mad01s09-in-f17.1e100.net:http    ESTABLISHED    
firefox.exe:5896    TCP    %computername%:53586    bru01m01-in-f121.1e100.net:http    ESTABLISHED    
.......Some processes were removed because weren't relevant to this post.............

Hope that this post can be useful

Advertisements

About rodvars
Been working in IT Services/Consulting for the past 15 years. My main areas of work are planning, development, managing and administration System infrastructures focusing on optimizing user processes, enforcing business security, performance enhancements, high availabilty and infrastucture scalability.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: