In another article, we talked about computer ports and what they are used for. Other than that, what can we do with the port information? Since all of the computer’s inbound and outbound traffic goes through the ports, we can check them to see what they are doing. Maybe the port is not listening to traffic? Maybe something is using a port that shouldn’t be there?
We are going to use the Windows netstat command to see our listening ports and PID (Process ID). We’ll also see what we can do with this information.
What is Netstat?
The netstat command is a combination of the words network and statistics. The netstat command works in all versions of Windows, from Windows XP to Windows 10. It is also used in other operating systems (OS) such as Unix and Linux, but here we will focus on Windows.
Netstat can provide us with:
- The name of the protocol that the port is using (TCP or UDP).
- Local IP address and computer name and port. used number.
- The IP address and port number to which we connect.
- The state of the TCP connection. Read more about these states in the RFC 793 Event Handling section.
- Use the key combination Win Key + X. In the menu that opens, select Command Prompt.
Use Netstat to see Listening Ports and PID - Use the Win Key + X key combination. In the menu that opens, select Command Prompt .
- Enter the command netstat -a -n -o . The parameters for netstat are preceded by a hyphen, not a forward slash like many other commands. The -a parameter tells it to show us all active connections and ports that the computer is listening on.
The -n option tells netstat to display IP addresses and ports as numbers only. We tell him not to try to resolve names. This makes the display faster and cleaner. The -o option tells netstat to include the PID. We’ll use the PID later to figure out which process is using a particular port.
- Review the results and note the addresses, port numbers, status, and PIDs. Let’s say we want to know what is using port 63240. Note that its PID is 8552 and it connects to IP address 172.217.12.138 on port 443.
- Open Task Manager. The easiest way to do this is with the Ctrl + Shift + Esc key combination.
What is using this port? - Open Task Manager. This is done more easily with the Ctrl + Shift + Esc key combination.
- Click the Details tab. For an easier search, click the PID column heading to sort the IDs by number.
- Scroll down to PID 8552 and see what this process is. In this case, it’s googledrivesync.exe. But is it really so? Viruses can sometimes look like legitimate processes.
- In a web browser, go to ipinfo.io Enter the IP address 172.217.12.138. As we can see, the IP address is registered with Google. So, this googledrivesync.exe is legal.
How to get Port, PID, and Process Name in PowerShell
PowerShell is Microsoft’s new way of using the command line interface on Windows. We say that it is newer, but there are already several versions. You should learn PowerShell even if you are a home user.
Most Windows commands also work in PowerShell, plus we can combine them with PowerShell cmdlets – pronounced command-let . Joe from Winteltools.com provides a script for this method.
– /
- Open Notepad and enter the following code:
$ netstat = netstat -aon | Select-String -pattern “(TCP | UDP)” $ processList = Get-Process foreach ($ result in $ netstat) {$ splitArray = $ result -split “” $ procID = $ splitArray [$ splitArray.length – 1] $ processName = $ processList | Where-Object {$ _. Id -eq $ procID} | select process name $ splitArray [$ splitArray.length – 1] = $ procID + “” + $ processName.processname $ splitArray -join “”}
- Save the file as get-NetstatProcessName.ps1. Be sure to note where it is being saved. It is important to change the “Save As” type: to “All files” (*. *), Otherwise it will be saved as get-NetstatProcessName.ps1.txt, and it won’t work for us.
- Open PowerShell and navigate to the folder where the script was saved. In this case, it is cd C: Scripts . Press Enter to run the command.
- Run the script using dot search to get it working. This means using ./ in front of the filename. The command will look like ./get-NetstatProcessName.ps1
- We can now see all the traditional netstat information plus the process name. You no longer need to open the Task Manager.
Go get them
We’ve covered two ways to use the netstat command to view listening ports. It can be used either in the old command line or in a PowerShell script. Using the information it can provide us, we looked at how it can help us understand what our computer is doing.
If you think netstat is a great utility, take a look at some of the other Windows TCP / IP utilities like tracert, ipconfig, and nslookup. Or use Resource Monitor to better examine hidden website and internet connections. There is a lot you can do to find out exactly what your computer is doing.
Have you used netstat to solve the problem? Please tell us what you have done. Questions about how to use netstat? Contact us in the comments below.
–