6.12. Viewing the Network Ports a Process Has Open

Problem

You want to view the network ports on which a process is communicating. This is useful if you want to see the type of traffic a particular process is generating.

Solution

Using a graphical user interface

  1. Open the Sysinternals TCPView tool (tcpview.exe).

  2. The complete list of processes and associated ports are displayed by default. New connections show up in green and terminating connections show up in red.

Using a command-line interface

The following command displays the open ports and the process ID of the process associated with the port. The -o option is new to netstat.exe in Windows XP and Windows Server 2003:

> netstat -o

The Sysinternals netstatp.exe command is similar to netstat.exe, except it displays the process name associated with each port:

> netstatp

And for yet another extremely useful port querying tool, check out portqry.exe (see MS KB 310099 for more information). With portqry you can get even more information than netstatp. Run this command to output all of the ports and their associated processes:

> portqry -local

That command also breaks port usage down by service (e.g., DnsCache). You can watch the port usage for a particular PID and log it to a file. The following command does this for PID 1234:

> portqry -wpid 1234 -wt 5 -l portoutput.txt -v

The -wt defines the watch time, which is how long portqry waits before examining the process again (the default is 60 seconds). The -v option is for verbose output.

Using ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.