2 Simple Commands Let You Match TCP Connections With Processes

In many situations, it's helpful toidentify which TCP connections areassociated with which processes ona computer. With this information,you can determine whether a TCPconnection is valid or unauthorized,determine whether a connectionthat's been active for a long timeshould be disconnected, or troubleshoot other types of problems.

You can use two simple commands to quickly match TCP connections with processes. First, you use the following Netstat command:

netstat -aenos -p tcp 

In the output, you need to locate the Active Connections section. As Figure 1 shows, this section includes the Foreign Address, State, and PID columns. The Foreign Address column contains the TCP/IP address and port (which appears after the colon) of the remote computer to which the local computer is connected. The State column specifies the connection's state when the Netstat command executed. The PID column shows the process identifier (PID) associated with the TCP connection.

The PID is the information you're after, but few people can identify a process by its PID. To get the name of the process, you can run the following Tasklist command:

tasklist /v /fo List /fi "pid eq xxx" 

where xxx is the PID. As Figure 2 shows, the output includes the process's image name (e.g., iexplore. exe) and display name (e.g., Microsoft Internet Explorer).
—Fritz Shad