View the list of active network connections in your computerPublished: October 18, 2005
Send your feedback
When I use "netstat -a" in my command prompt, I get this about 14-15 instances of the following line:
TCP comp-ip:1025 ad.be.doubleclick.net.1032 ESTABLISHED
Is there some form of spyware is operating on my system, or could it be just a harmless cookie. How can I trace the application which is making the TCP connection to a server?
Netstat's other command-line options
Netstat has many other command-line options that can reveal the Process ID. The related process name can be identified by refering the Process ID in Task Manager Processes tab (look at column PID). For more information, type NETSTAT /? in Command Prompt.
To display the active network connections, and the corresponding Process ID that has intiated the connection, type this command:
You'll see something like this:
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 848
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5101 0.0.0.0:0 LISTENING 892
TCP 192.168.1.10:139 0.0.0.0:0 LISTENING 4
TCP 192.168.1.10:2295 126.96.36.199:80 ESTABLISHED 2316
Look at the line with status marked as ESTABLISHED. Note down the PID (2316).
Now, open Task Manager and then see which process is assigned the Process ID 2316. You can identify the corresponding application there. (See figure left).
Note that Windows XP Service Pack 2 introduces another command-line parameter for NETSTAT. It's the -b option, which displays the application name directly when you run the NETSTAT command. When used with the -b option ( NETSTAT -ABNO ), the output will be similar to this, with the name of the application mentioned:
TCP 192.168.1.10:2324 188.8.131.52:80 ESTABLISHED 2316
For more information on the new NETSTAT parameter, read the "Cable Guy" article here: New Networking Features in Windows XP Service Pack 2 - The Cable Guy
Using specialized third-party tools to track this information
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. Here is a screenshot of this excellent program:
TCPView - Copyright © 1998-2005 Mark Russinovich
CurrPorts from Nir Sofer, displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.