Associating Processes with Network Connections

You may know how to monitor the processes running on your Windows machine, and you may know how to check to see if there are any abnormal network connections being made, but do you know how to synchronize this information to determine exactly what processes are creating what connections? By using some of the non-default options and settings in the Netstat command-line tool and Windows Task Manager, you can do just that.

Show the Owner PID with Netstat

Netstat has an option (-o) that causes the PID of the process that is in control of each open port and connection to be displayed. The –a option makes sure that listening ports are included in the results. Also, I like to include the –n option so that all addresses and ports are in numerical form.

1. Open a command prompt (Start -> Run -> “cmd”)
2. Type “netstat –ona” and press Enter.

If you want to narrow down your results to a particular port or address that you think is a problem, you can use the find command which filters out lines that do not contain the given text. The following is the result of executing the command netstat –ona | find “80” (click to enlarge).

The output shows that three lines contained the text “80.” So, if you wanted to know what process was listening on port 80, you would now see that its PID is 416.

View the PID Column in Task Manager

Now that you have the PID in question, the only thing left to do is match it up with the process name. Task Manager only displays a few columns of process information by default, but there is a lot more information from which you can choose. One of those extra columns is the PID.

1. Right-click the Windows taskbar.
2. Click Task Manager in the menu that appears.
3. Choose the Processes tab.
4. Click Select Columns… on the View menu.
5. Check the PID (Process Identifier) box.
6. Click OK.

Now, I can sort my processes by PID and find out that, as expected, 416 is the process identifier for Tomcat which is the service that is listening on port 80.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!