Categories

Links

View the list of active network connections in your computer

Published: October 18, 2005
Send your feedback

Question

When I use "netstat -a" in my command prompt, I get this about 14-15 instances of the following line:

TCP comp-ip:1025 ad.be.doubleclick.net.1032 ESTABLISHED

Is there some form of spyware is operating on my system, or could it be just a harmless cookie. How can I trace the application which is making the TCP connection to a server?

Netstat's other command-line options

Netstat has many other command-line options that can reveal the Process ID. The related process name can be identified by refering the Process ID in Task Manager Processes tab (look at column PID). For more information, type NETSTAT /? in Command Prompt.

To display the active network connections, and the corresponding Process ID that has intiated the connection, type this command:

NETSTAT -ANO

You'll see something like this:

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135  0.0.0.0:0  LISTENING   848
TCP 0.0.0.0:445  0.0.0.0:0  LISTENING   4
TCP 0.0.0.0:5101 0.0.0.0:0  LISTENING  892
TCP 192.168.1.10:139 0.0.0.0:0 LISTENING 4
TCP 192.168.1.10:2295 66.102.7.147:80 ESTABLISHED 2316

Look at the line with status marked as ESTABLISHED. Note down the PID (2316).

Now, open Task Manager and then see which process is assigned the Process ID 2316. You can identify the corresponding application there. (See figure left).

Note that Windows XP Service Pack 2 introduces another command-line parameter for NETSTAT. It's the -b option, which displays the application name directly when you run the NETSTAT command. When used with the -b option ( NETSTAT -ABNO ), the output will be similar to this, with the name of the application mentioned:

TCP 192.168.1.10:2324 66.102.7.147:80 ESTABLISHED 2316
[IEXPLORE.EXE]

For more information on the new NETSTAT parameter, read the "Cable Guy" article here: New Networking Features in Windows XP Service Pack 2 - The Cable Guy

Using specialized third-party tools to track this information

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. Here is a screenshot of this excellent program:



TCPView - © 1998-2005 Mark Russinovich

CurrPorts from Nir Sofer, displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.