Home > Articles, Tips & How-tos > Find out which process/application is using which TCP/UDP port on Windows

Find out which process/application is using which TCP/UDP port on Windows

During the process of analyzing a network problem with a network analyzer tool or a protocol sniffer, especially when we find a suspicious worm or backdoor activity, we get only useful information like MAC addresses, IP addresses and also the port number in transport layer. The analyzer may not even know which application layer protocol is used, even it tells, we still need to figure out which application or process is using this application layer protocol. Is there any method that we can find out the original application or process using that TCP or UDP port? If you are conducting an on-site analysis, Capsa can easily help find out which process is using what port.
Let’s see how.

Find out Port Number

For example, I spot in Capsa Free the following TCP connection suspicious, which constantly communicates to IP: xx.xx.0.183, on port 8000. So I’m going to look up the process name using this port.

find_port

Find Process ID (PID)

At once I evoke Command Prompt, and entered the following string and hit enter.

netstat –aon | findstr :8000

Explanation:

-a: list all active connections and their ports. –o: show process IDs. –n: display the port numbers numerically.

| findstr :8000: display only the items with string :8000 (findstr means find string). Don’t forget the pipe symbol | at the beginning.

Let’s see what we get.

find_pid

We can read in this case 3968 is the PID, and the source IP address and the target address is the same as the first figure.

Find Process/Application

Next we’ll switch to another tool Process Explorer (a free tool that you can get from: http://technet.microsoft.com/en-us/sysinternals/bb896653) immediately. And we can easily find out the process or application of this PID: 3968.

process_explorer

I’m sure it’s an instant messenger used internal in my office and it’s safe. You can also try to find this PID in Windows Task Manager if you don’t have Process Explorer installed.

However task Manager will not provide as much information as Process Explorer. And command prompt is quite handy for geeks.

tasklist | findstr 3968

This command will list only the task items with string 3968. Please refer to previous command if you not sure about | findstr parameter.

Kill Process/Application

So next, you may want to kill a process when you find it’s malicious and want to end it at once? If you are with Process Explorer, you just right-click on a process item and choose Kill Process (Press Del button for short) to kill that process (you can do the same in Task Manager). Again, you may run the following in Command Prompt:

taskkill /F /PID 3968

Explanation:

/F means force to kill the process. And I suppose you understand PID so far.

Now we successfully detect and target the suspicious process with the specific port number, no matter UDP or TCP. And of course this procedure is reversible, you can find out the port number from the process’s PID.

  1. Mr White
    January 26th, 2011 at 20:47 | #1

    Nice one, just want to add my 2 cent.

    1.) In your example, you are trying to figur out the application using the connection looking for the remote(!!) port. However, you might find that there are several connections using a specific remote port at a time. The best example is searching for remote port 80 when browsing the web: there will be several connections to several different web server at remote port 80.
    I would prefer to make a search looking for the local port, in your case 49181, which will uniquely identify the connection in most cases.

    2.) For people who don’t like working on the command line, there are some good free GUI tools available which display all active network connections and the applications using them. My personal favourites are Sysinternals TCPView and CurrPort. Open these tools, create a filter for the port you are looking for and you have the information you need.

    Sorry for my bad english.

  2. January 26th, 2011 at 23:26 | #2

    Thanks for your comment, Mr White.

  3. May 26th, 2013 at 14:05 | #3

    It’s a pity you don’t have a donate button! I’d definitely donate to this outstanding blog! I suppose for now i’ll settle for bookmarking and adding your RSS feed to
    my Google account. I look forward to brand new updates and will share this website with my Facebook group.
    Talk soon!

  1. No trackbacks yet.