Take New Survey on Insider Threats for Chance to Win $400 Amazon Card
Previous Question | Back to Intrusion Detection FAQ Home

Intrusion Detection FAQ: Mapping Active Ports To Corresponding Processes

Jim McMillan
November 2009

Introduction

Our systems run many processes (services and applications) on a daily basis. Often these processes are designed for communication with remote systems and run as services that listen on assigned ports. In today's environment computers are often left powered on and connected to a network at all times.

This always-on mentality provides an endless window of opportunity for attackers to take advantage of vulnerabilities in these running processes. Therefore, it is important for us to not only keep our systems patched, it is also important to minimize the processes listening on our systems. We should only run processes that are necessary for the systems to function as desired, and disable and uninstall the other processes. But how do we tell what processes have ports open and are listening on our systems?

The Netstat Command

On systems that have TCP/IP installed (which includes almost all systems), there is a command called Netstat. Netstat is a command line executable that can be used to display various types of information about out network connections. If you run netstat with a command line option of "-?" you will see that there are various command line arguments you can use to gather different pieces of information. We can use Netstat to display a list of active connections for our system.

If we run the Netstat command from a Command Prompt on a Windows system, we get results similar to the following (results from a Windows 7 system):

C:\>netstat.exe -aon

Active Connections

ProtoLocal AddressForeign AddressStatePID
TCP0.0.0.0:1350.0.0.0:0LISTENING668
TCP0.0.0.0:4450.0.0.0:0LISTENING4
TCP0.0.0.0:53570.0.0.0:0LISTENING4
TCP0.0.0.0:491520.0.0.0:0LISTENING392
TCP0.0.0.0:491530.0.0.0:0LISTENING716
TCP0.0.0.0:491540.0.0.0:0LISTENING884
TCP0.0.0.0:491550.0.0.0:0LISTENING468
TCP0.0.0.0:491560.0.0.0:0LISTENING476
TCP192.168.56.129:1390.0.0.0:0ISTENING4
TCP192.168.56.129:4915865.55.17.26:80ESTABLISHED2988
TCP192.168.56.129:49160204.246.230.80:80ESTABLISHED2988
TCP192.168.56.129:4916165.55.15.242:80ESTABLISHED2988
TCP192.168.56.129:4916265.55.149.121:80ESTABLISHED2988
TCP192.168.56.129:4916365.55.15.242:80ESTABLISHED2988
TCP192.168.56.129:4916465.55.15.242:80ESTABLISHED2988
TCP192.168.56.129:4916765.55.15.242:80ESTABLISHED2988
TCP192.168.56.129:4916865.55.15.242:80ESTABLISHED2988
TCP192.168.56.129:4916965.55.15.242:80ESTABLISHED2988
TCP192.168.56.129:4917274.125.95.149:80ESTABLISHED2988
TCP192.168.56.129:49174204.246.230.113:80ESTABLISHED2988
TCP192.168.56.129:4917565.55.149.119:80ESTABLISHED2988
TCP192.168.56.129:4917766.35.45.201:80ESTABLISHED2988
TCP192.168.56.129:4917866.35.45.201:80ESTABLISHED2988
TCP192.168.56.129:4917966.35.45.201:80ESTABLISHED2988
TCP192.168.56.129:4918066.35.45.201:80ESTABLISHED2988
TCP192.168.56.129:4918166.35.45.201:80ESTABLISHED2988
TCP192.168.56.129:4918266.35.45.201:80ESTABLISHED2988
TCP[::]:135[::]:0LISTENING668
TCP[::]:445[::]:0LISTENING4
TCP[::]:5357[::]:0LISTENING4
TCP[::]:49152[::]:0LISTENING392
TCP[::]:49153[::]:0LISTENING716
TCP[::]:49154[::]:0LISTENING884
TCP[::]:49155[::]:0LISTENING468
TCP[::]:49156[::]:0LISTENING476
UDP0.0.0.0:3702*:*1412
UDP0.0.0.0:3702*:*1412
UDP0.0.0.0:5355*:*1164
UDP0.0.0.0:64181*:*1412
UDP127.0.0.1:1900*:*1412
UDP127.0.0.1:61166*:*1412
UDP127.0.0.1:62646*:*2988
UDP192.168.56.129:137*:*4
UDP192.168.56.129:138*:*4
UDP192.168.56.129:1900*:*1412
UDP192.168.56.129:61165*:*1412
UDP[::]:3702*:*1412
UDP[::]:3702*:*1412
UDP[::]:5355*:*1164
UDP[::]:64182*:*1412
UDP[::1]:1900*:*1412
UDP[::1]:61164*:*1412
UDP[fe80::a49d:22fc:6a6:4daf%11]:546*:*716
UDP[fe80::a49d:22fc:6a6:4daf%11]:1900*:*1412
UDP[fe80::a49d:22fc:6a6:4daf%11]:61163*:*1412

As you can see there are many processes listening on this Windows 7 system. By running the netstat command with the "a" option, we list all the active TCP connections on TCP and UDP ports. The "o" option gives us the process identifier, or PID, of the process the port is assigned. And the "n" option tells netstat not to do name resolution on IP addresses or ports.

This netstat output gives us five columns of information about active connections:

ColumnInformation Description
ProtoType of protocol being used TCP or UDP.
Local AddressIP address of the local system and local port being used.
Foreign AddressIP address of the remote system and remote port being used.
StateStatus of the TCP connection.
PIDProcess identifier of the processing using the local port.

If we look at the 22nd entry of our output, we see the following entry:

   TCP   192.168.56.129:49177   66.35.45.201:80   ESTABLISHED   2988

This entry tells us we have an active TCP connection from our local system on port 49177 to a remote system with IP address 66.35.45.201 on port 80. In addition, this connection is currently established and a local process with a PID of 2988 is using the connection.

Even though we know the PID of the process using this connection, it doesn't tell us much more than there is a process that has an active connection on our system. How can we use this information to determine more about PID 2988?

Using Task Manager to better identify processes against our Netstat results

Now that we have a PID number, we can look up the process that is associated with the PID. To do this we can utilize the built-in Task Manager. However, by default Task Manager doesn't display the PID. We can fix that with a quick setting change.

Open Task Manager and select the "Processes" tab. Then click "Show processes from all users" to display all running processes in the Task Manager window. We will need to add the "PID (Process Identifier)" column to the view, as show below.

To do this, select "View" from the menu and then click "Select Columns". On the "Select Process Page Columns" make sure there is a check mark in "PID (Process Identifier)" selection box and then click OK.

You will now see a window similar to the following.

If we look in the "PID" column, we will see our PID of 2988. Then by looking at the "Image Name" and "Description" columns, we can see that out active network connection is Internet Explorer.

Now that we have looked at the harder way of cross referencing active ports to their processes, let's look at a tool that can help do this all in one step.

TCPView for Windows

Windows SysInternals' guru Mark Russinovich has created a very useful tool, amongst many others, that will make our job easier. The TCPView tool is a GUI program that provides similar, but enhanced, information to that of Netstat. It will not only give you the PID number of the process tied to an active port, it will also provide you the "Image Name" that you find in Task Manager.

TCPView also includes a command line program that can dump the same information as the GUI program. This comes in very handy when performing Incident Response or you want to automate the auditing of several systems. The command line program is called Tcpvcon and has a few command line arguments. You can run "tcpvcon.exe /?" from a command prompt to view those options.

TCPView Output

On our same Windows 7 system, we run the Tcpvcon program at the command line while specifying the "a", "c" and "n" options. The command gives us the following results (which can also be piped to a file on a remote network share):

C:\>Tcpvcon.exe -acn

TCPView v2.54 - TCP/UDP endpoint viewer

Copyright (C) 1998-2009 Mark Russinovich

Sysinternals - www.sysinternals.com

TCP,svchost.exe,668,LISTENING,0.0.0.0:135,0.0.0.0:0
TCP,System,4,LISTENING,192.168.56.129:139,0.0.0.0:0
TCP,wininit.exe,392,LISTENING,0.0.0.0:49152,0.0.0.0:0
TCP,svchost.exe,716,LISTENING,0.0.0.0:49153,0.0.0.0:0
TCP,svchost.exe,884,LISTENING,0.0.0.0:49154,0.0.0.0:0
TCP,services.exe,468,LISTENING,0.0.0.0:49155,0.0.0.0:0
TCP,lsass.exe,476,LISTENING,0.0.0.0:49156,0.0.0.0:0
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49158,65.55.17.26:80

TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49160,204.246.230.80:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49161,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49162,65.55.149.121:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49163,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49164,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49167,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49168,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49169,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49172,74.125.95.149:80

TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49174,204.246.230.113:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49175,65.55.149.119:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49177,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49178,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49179,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49180,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49181,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49182,66.35.45.201:80
TCP,System,4,LISTENING,0.0.0.0:445,0.0.0.0:0

TCP,System,4,LISTENING,0.0.0.0:5357,0.0.0.0:0
UDP,System,4,*,192.168.56.129:137,*:*
UDP,System,4,*,192.168.56.129:138,*:*
UDP,svchost.exe,1412,*,127.0.0.1:1900,*:*
UDP,svchost.exe,1412,*,192.168.56.129:1900,*:*
UDP,svchost.exe,1412,*,0.0.0.0:3702,*:*
UDP,svchost.exe,1412,*,0.0.0.0:3702,*:*
UDP,svchost.exe,1164,*,0.0.0.0:5355,*:*
UDP,svchost.exe,1412,*,192.168.56.129:61165,*:*

UDP,svchost.exe,1412,*,127.0.0.1:61166,*:*
UDP,iexplore.exe,2988,*,127.0.0.1:62646,*:*
UDP,svchost.exe,1412,*,0.0.0.0:64181,*:*
TCPV6,svchost.exe,668,LISTENING,[0:0:0:0:0:0:0:0]:135,[0:0:0:0:0:0:0:0]:0
TCPV6,System,4,LISTENING,[0:0:0:0:0:0:0:0]:445,[0:0:0:0:0:0:0:0]:0
TCPV6,System,4,LISTENING,[0:0:0:0:0:0:0:0]:5357,[0:0:0:0:0:0:0:0]:0
TCPV6,wininit.exe,392,LISTENING,[0:0:0:0:0:0:0:0]:49152,[0:0:0:0:0:0:0:0]:0
TCPV6,svchost.exe,716,LISTENING,[0:0:0:0:0:0:0:0]:49153,[0:0:0:0:0:0:0:0]:0
TCPV6,svchost.exe,884,LISTENING,[0:0:0:0:0:0:0:0]:49154,[0:0:0:0:0:0:0:0]:0

TCPV6,services.exe,468,LISTENING,[0:0:0:0:0:0:0:0]:49155,[0:0:0:0:0:0:0:0]:0
TCPV6,lsass.exe,476,LISTENING,[0:0:0:0:0:0:0:0]:49156,[0:0:0:0:0:0:0:0]:0
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:1]:1900,*:*
UDPV6,svchost.exe,1412,*,[fe80:0:0:0:a49d:22fc:6a6:4daf]:1900,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:0]:3702,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:0]:3702,*:*
UDPV6,svchost.exe,1164,*,[0:0:0:0:0:0:0:0]:5355,*:*
UDPV6,svchost.exe,1412,*,[fe80:0:0:0:a49d:22fc:6a6:4daf]:61163,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:1]:61164,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:0]:64182,*:*

Our output is in comma separated format due to the "c" option we specified. As with Netstat the "a" option gives us all connections and the "n" option tells Tcpvcon to not do name translation. This time, the output from our command is displayed in six columns, or fields, that are comma separated. The displayed fields provide the following information in order displayed:

Column/FieldDescription
ProtocolType of protocol being used TCP or UDP.
ProcessThe Image Name of the running process.
PIDProcess identifier of the processing using the local port.
StateStatus of the TCP connection.
Local address and portIP address of the local system and local port being used.
Foreign address and portIP address of the remote system and remote port being used.

Let's look at the 20th entry in our output list from the Tcpvcon command we ran above:

   TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49177,66.35.45.201:80

As before, this entry tells us we have an active TCP connection from our local system on port 49177 to a remote system with IP address 66.35.45.201 on port 80. And this connection is currently established and a local process with a PID of 2988 is using the connection. But as a bonus, the process image name (iexplore.exe) is now provided.

Resources

Microsoft Technet (n.d.). Netstat. Retrieved from http://technet.microsoft.com/en-us/library/bb490947.aspx

Russinovich, M. (2009, March 17). Tcpview for windows v2.54. Retrieved from http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >