2 Simple Commands Let You Match TCP Connections With Processes

Identifying which TCP connections are associated with which processes on a computer can help with troubleshooting problems. To quickly match TCP connections with processes, you can use the Netstat and Tasklist commands.

Readers

March 27, 2007

1 Min Read
ITPro Today logo in a gray background | ITPro Today

In many situations, it's helpful toidentify which TCP connections areassociated with which processes ona computer. With this information,you can determine whether a TCPconnection is valid or unauthorized,determine whether a connectionthat's been active for a long timeshould be disconnected, or troubleshoot other types of problems.

You can use two simple commands to quickly match TCP connections with processes. First, you use the following Netstat command:

netstat -aenos -p tcp 

In the output, you need to locate the Active Connections section. As Figure 1 shows, this section includes the Foreign Address, State, and PID columns. The Foreign Address column contains the TCP/IP address and port (which appears after the colon) of the remote computer to which the local computer is connected. The State column specifies the connection's state when the Netstat command executed. The PID column shows the process identifier (PID) associated with the TCP connection.

The PID is the information you're after, but few people can identify a process by its PID. To get the name of the process, you can run the following Tasklist command:

tasklist /v /fo List /fi "pid eq xxx" 

where xxx is the PID. As Figure 2 shows, the output includes the process's image name (e.g., iexplore. exe) and display name (e.g., Microsoft Internet Explorer).
—Fritz Shad

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like