This is the first post in a series covering various Sysinternals tools – today we will look at TCPView.
What is TCPView?
If you are familiar with the netstat command you can consider TCPView as a graphical version TCPView displays both IPv4 and IPv6 TCP/UDP connections on your system alongside the process which owns them. This can be valuable when trying to understand which processes connections are tied to, whether for troubleshooting or documenting/security.
What information does it present and how do I use it?
The following columns are available –
- PID (Process ID)
- Local Address
- Local Port
- Remote Address
- Remote Port
- Sent Packets
- Sent Bytes
- Received Packets
- Received Bytes
The interface by default will automatically refresh every second however this can be changed to 2 seconds, 5 seconds or paused completely. On a busy system it may be easier to pause the automatic refresh and use ‘manual’ mode by pressing F5 to perform a refresh on demand.
New connections between refreshes are highlighted in green while those connections that have been removed are highlighted in red. Connections which have switched between states are highlighted in yellow.
Name resolution is performed by default when launching the program. This means both the IP address and port will be resolved to their DNS and friendly names. As an example, if you have a connection using SSH and resolve is enabled the interface will show the port as ‘SSH’ however if you turn off resolution it will just show the port number of 22. This can be toggled via the Options menu ‘Resolve Addresses’, using the key combination CTRL+R or by clicking on the ‘A’ symbol in the toolbar.
By default all connection types are shown however you may wish to only show those which are connected. This can be achieved by clicking the toolbar button which looks like a pipe or using the key combination CTRL+U. If you change this option the interface will refresh itself.
The interface results can be saved by clicking on the save icon on the toolbar, the key combination CTRL+S or via the File menu options. The text file format is tab delimited ASCII text so it’s nice and easy to import this into Microsoft Excel to review the data outside of the Sysinternals tool. If you only want to ‘save’/copy the data from a single connection you can click on it and just use CTRL+C then paste into Notepad, example below with resolution enabled and disabled.
RDCMan.exe 5740 TCP ab.localdomain 63445 172.16.2.9 ms-wbt-server ESTABLISHED 365 18,615
RDCMan.exe 5740 TCP 192.168.2.2 63445 172.16.2.9 3389 ESTABLISHED 382 19,482
If you so desire you can force a connection to be closed by either right-clicking on the relevant connection and selecting ‘Close Connection’ or via the File menu option. Please be careful with this option, as you can ‘shift’ select multiple connections and close them all without any dialog confirmations it can be easy to break something! You can also end the process associated with a connection, again use this with caution – thankfully a confirmation dialog is presented when attempting to do this.
Whois information is available for any fully qualified names in the connections list. The tool will attempt to perform a whois and present this data in a popup window. You can access this data by either right-clicking on the connection of interest and selecting the ‘Whois…’ option or via the File menu option.
Below we have a number of screenshots showing the interface, process properties and whois windows.