Take the mystery out of network-traffic analysis

Ryan russell By Ryan Russell

The free TCPView utility shows which programs are responsible for which network connections.

Free up bandwidth and stay safe by identifying the network links that you don’t need or that jeopardize your security.

Identify the apps that are reaching out

In my Apr. 24 column, I mentioned in passing Microsoft’s free TCPView utility (developed by Sysinternals), which displays all the network connections made to and from your computer and identifies the program responsible for each connection.

Suppose you find some interesting network traffic by using Wireshark, the packet-monitoring utility I described in the previous column, and you wonder which program is responsible for the transmission. Since Wireshark works at the network-driver level, the monitor has no idea which program is generating which packets.

In some cases, the source will be obvious from the traffic. For example, many ports are assigned to specific purposes. If a computer has connected to yours at port 1433, it’s a fairly safe bet that SQL Server is responsible for the connection, since the program is assigned to that port.

However, you probably have dozens of programs installed on your computer that are HTTP clients and thus use port 80. These include not only the obvious Web browsers but also any self-updating programs such as media players, games, and many Office-type applications. How do you know which program initiated the network session? TCPView can show you.

Link a program to its network connections

Unlike most other network-monitoring utilities, TCPView is simple and single-purpose. The program displays everything you need to see in one window, and you probably won’t need to change the utility’s default settings (see Figure 1).

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

= Paid content

All Windows Secrets articles posted on 2008-06-05:

Ryan Russell

About Ryan Russell

Ryan Russell is a quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias "Blue Boar." He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.