1. If you have Windows XP you can:

(a) Open a command prompt window. From Start / Run enter: cmd

(b) From the command prompt enter: netstat -ano

(c) Note the PID (process identifier) associated with the ports you are concerned about. (Also note the Local Address, Foreign Address, Protocol and State.)

(d) Then do ctrl-alt-del to bring up the Windows Task Manager.

(e) In Windows Task Manager, select the Processes tab.

(f) Look for the PID you noted when you did the netstat in step (c). Look to left to the image name and that tells you which process has that PID.

- If you dont see a PID column, click on View / Select Columns. Make sure PID is selected. Click OK.

- Make sure Show processes from all users is selected.

2. On Windows NT/2000/XP, the following products will provide the ability to locate which software is using which port:

- TCPView (free)

- Active Ports (free)

- OpenPorts (free)

- Foundstone Vision (free)

3. On Windows 95/98/NT/2000/XP, the following product will provide the ability to locate which software is using which port:

- Port Explorer (30-day free trial)

4. You can research the port using the links in this FAQ:
/faq/8226 (Why am I being probed on port XXX?)
or these sites:
»www.neohapsis.com/neolabs/neo-ports/
/ports
»isc.incidents.org
»lists.gpick.com/portlist/lookup.asp
»www.iana.org/assignments/port-numbers

5. You can research the IP address using this FAQ:
How do I look up an IP Address?

6. If youre stuck, feel free to post what information you have been able to gather in the BBR Security Forum and let us know your question. Be sure to give the full port description: port number and protocol (TCP or UDP).
/forum/security,1

7. If you are a business, organization or professional that depends on the security of your computer system, we strongly urge you to consider using the services of an IT security professional to review the security of your system.

Other useful links on BBR:
/faq/8226
/faq/3497
/faq/2467
/faq/5503
/faq/8428
/faq/9763

Useful links elsewhere:
On ports:
»www.windowsitpro.com/WindowsSecu···313.html
On Internet protocols:
»www.inetdaemon.com/tutorials/int···dex.html
On firewall forensics:
»security.uoregon.edu/firewalls/f···een.html
SANS Reading Room:
»www.sans.org/rr/catindex.php?cat_id=30
Packet analysis (note, you probably do not want to reduce firewall protection unless you have a test computer you can put outside your firewall):
»www.mynetwatchman.com/pckidiot/

The advice given here is general in nature and not adequate for high-value or highly attractive targets.

Feedback received on this FAQ entry:

• when using command netstat -ano the disbox(?) window closes instantly processing finishes so you have no time to get the details

  2008-08-24 21:34:38

• All the links in point 2 fail to reach their targets

  2008-08-24 21:39:09

• Top Notch, Thanx!!

  2009-08-30 17:39:33

• you can also see the process by adding the pid to the task manager ~jim

  2009-10-19 09:37:21

• Really helpful...... was stuck with a problem.... it really helped me in fixing that.... thanks a ton !!!!!!!!!! Usha

  2010-05-24 01:57:55

• how can I give a program a port to use ?!

  2011-01-10 05:58:47

• Thanks - You just helped me resolve a software conflict that was killing my syslog server. Found out that another program I installed took over UDP port 514 and I was not getting syslog messages any more. Thank you So much for the assist.

  2011-06-16 11:13:21

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation, it is also visible to logged in users.

by keith2468 edited by JMGullett
last modified: 2007-06-14 15:35:56