Sunday, 18 September 2011

How to find the process that is using a TCP port

Earlier today I was inspecting all computers in my home for malware with the help of GMER and FreeFixer. I was also using the netstat command line tool to look for any suspicious network connections. Netstat shows established TCP connections and ports that are listening for incoming connections. There was one entry in the netstats output that looked a bit suspicious: A connection to a server at on port 5938 and, also on port 5938.

The problem with netstat is that I couldn't see the name of the executable file that had established this connection. As usual Sysinternals comes to the rescue. They offer a tool called TCPView which also shows the process name along with connection info. It turned out that TeamViewer that I recently installed had established the connection:

Another alternative to find the process name that owns a connection is to use netstat -o which will list the process identifier for each connection and compare it to the information listed in the Windows Task Manager.