Thursday, January 06, 2005

What's using that port?

Every now and again, I see posts to public lists asking for an "lsof for Windows", or "how do I found out which process is using which port?" The stock answer to this has, for quite a while, been to use fport. Well, there are quite a few options available at this point, above and beyond that one tool.

Let's take a look at some CLI tools. I like openports, personally, and highly recommend it. Unlike fport, openports does not require an admin account to run the tool. Or, if you're on XP, go to the command prompt and type "netstat /?". Take a look at the '-o' switch. (Note: I feel like I have to repeat myself on this, but if you try using the '-o' switch on 2K, do NOT come back to me and tell me it didn't work. I know that. I doesn't work on 2K.) The '-o' switch adds the PID to the output of netstat, in the far right column. For fun, look at the '-b' and '-v' switches, as well.

For GUI tools, take a look at TCPView, and ActivePorts.

Microsoft even provides a couple of useful tools of their own for this. Portqry started out as a scanner, but version 2 has some added functionality. For example, "On computers that support Process ID (PID) to port mappings" (re: XP and 2K3), you can get a listing of not only the network connections a la netstat, but the processes using the ports. I downloaded a copy of portqryv2 to an XP Pro machine today, and the output doesn't look at all like what's in the KB article. However, if you use the '-local' switch, you'll get quite a bit of information, to include not only the mappings, but more detailed information about each process, including the network connections. Add on the '-v' switch, and you'll get information about the modules used by the processes.

Another Microsoft tool is PortReporter. In a nutshell, PortReporter installs as a service and continually monitors the system as it communicates on the network. On XP and 2K3 systems, PortReporter monitors:
  • The ports that are used
  • The processes that use the port
  • Whether a process is a service
  • The modules that a process loaded
  • The user accounts that run a process

On Win2K systems, the tool only monitors the port used, and when it was used.

Like Portqry, PortReporter can generate a lot of data. After all, the service has three log files. Fortunately, there's a Parser tool available to help you go through all of the log data.

It might be a good idea to include PortReporter as part of your standard image for Win2K3 systems, at least.

So, why is this important? Well, if you're an IDS analyst, and you see some unusual traffic on the network (or in firewall logs), you may want to find out which application on that Windows machine is generating the traffic. Is it legit, or is it spyware/malware?

2 comments:

Munish Chandel said...

In windows we can use the following command to list the PID of process which is using the given port:
>netstat -ab | findstr PORT

where PORT is port number used.

AtilaUy said...

Great command Munish, really simple and helpful. However to get the PID the option would be "-o":

> netstat -ao | findstr PORT