2 Simple Commands Let You Match TCP Connections With Processes
Identifying which TCP connections are associated with which processes on a computer can help with troubleshooting problems. To quickly match TCP connections with processes, you can use the Netstat and Tasklist commands.
March 27, 2007
In many situations, it's helpful toidentify which TCP connections areassociated with which processes ona computer. With this information,you can determine whether a TCPconnection is valid or unauthorized,determine whether a connectionthat's been active for a long timeshould be disconnected, or troubleshoot other types of problems.
You can use two simple commands to quickly match TCP connections with processes. First, you use the following Netstat command:
netstat -aenos -p tcp
In the output, you need to locate the Active Connections section. As Figure 1 shows, this section includes the Foreign Address, State, and PID columns. The Foreign Address column contains the TCP/IP address and port (which appears after the colon) of the remote computer to which the local computer is connected. The State column specifies the connection's state when the Netstat command executed. The PID column shows the process identifier (PID) associated with the TCP connection.
The PID is the information you're after, but few people can identify a process by its PID. To get the name of the process, you can run the following Tasklist command:
tasklist /v /fo List /fi "pid eq xxx"
where xxx is the PID. As Figure 2 shows, the output includes the process's image name (e.g., iexplore. exe) and display name (e.g., Microsoft Internet Explorer).
—Fritz Shad
About the Author
You May Also Like