Thursday, April 9, 2009

Determining TCP activity

There a few ways that you can determine the TCP/IP activity on your system.

1. Netstat
 
Simply go to a command prompt and type netstat –an and you should see something like that shown above. You can see the protocol, local_ip_address:port, foreign_ip_address:port and the state.

This really only tells you the basics of which ports are connected to what IP addresses but it doesn’t actually tell you what programs are using those ports.

2. Fport


Fport is a free program that can be downloaded from :

http://www.foundstone.com/us/resources/termsofuse.asp?file=fport.zip

and when run in the command window will not only show the TCP ports but it will also show which program on your system is using that port, as shown above. For example we can see that iTunesHelper.exe is using port 1029 TCP is is process 3548.

Fport therefore provides a lot more information but it isn’t updated constantly and you need to run it in a command prompt.

3. Prio


 Amoungst other things Prio can do what both netstat and fport do but do it as part of your task manager. You’ll find the free download Prio at:

http://www.prnwatch.com/prio.html

Once installed Prio will provide you with an additional tab in your task manager (accessed via Ctl-Alt-Del) called TCP/IP as shown above. In there you’ll see an up to date list of all the TCP connections and the programs using these ports.

So all 3 tools provide you with the ability to inspect what TCP/IP connections are taking place on your system. This can be of significant assistance when tracking down rogue applications accessing the Internet without your knowledge.