PortQry and PortReporter are 2 tools that can help you determine which programs are listening on your computer's network ports. Such tools are important if you need to troubleshoot network services or detect unwanted programs. PortQry is a Microsoft-focused network port scanner with local-host-monitoring features. The other tool is Port Reporter (PortRptr.exe), which lets you monitor network activity from a particular computer over a longer period of time. Whereas PortQry gives you a real-time look at which network-aware applications are running and their network connection states, Port Reporter logs TCP and UDP port activity and compiles a history of network activity and corresponding applications for a system over time, so you can review the results later. Port Reporter also provides verbose logging when host applications change network connections-for example, when they accept a new connection. You can manually review this information to, for example, discover which applications are accepting or establishing network connections. Port Reporter also logs the DLLs that applications use so that you know exactly what code is accessing the network.
Depending on the amount of traffic, Port Reporter logs tend to grow too large to parse manually. For larger log files, you can use another free Microsoft tool called Port Reporter Parser to interpret and analyze the data and present it in a streamlined format. Let's look at both tools.
Downloading Port Reporter
Port Reporter is a free Microsoft tool that installs itself as a service. You download the Port Reporter files from Microsoft (http://www.microsoft.com/downloads/details.aspx?familyid=69ba779b-bae9-4243-b9d6-63e62b4bcd2e&displaylang=en) and extract them to a folder of your choice. Run the setup program-pr-setup.exe-to install the application on the computer that you want to monitor. By default, the setup program installs Port Reporter in C:\Program Files\PortReporter. Because of this setup process, Port Reporter isn't as agile as PortQuery, but as you'll see, it provides far more information.
From the Control Panel Administrative Tools applet, open Services. Scroll down to Port Reporter and start the service, as Figure 1 shows. If you leave the service running under the LocalSystem account, it will be able to collect information from all processes that it might not otherwise collect if run under a less-privileged account. Port Reporter logs its data to the \LogFiles directory that other Windows applications also use (e.g., %systemroot%\System32\LogFiles\PortReporter).
You can configure Port Reporter to rotate the log files by creating a new log whenever you start the service, each day, or when the size limit is reached. By default, Port Reporter creates a new log file when the current log file reaches 5MB in size. You can change the location and maximum size of the log files by accessing the service's Properties dialog box, selecting the General tab, and entering custom start parameters for the service. For example, the start parameters
-ld 'C:\PRLogFiles' -ls 10000
specify that Port Reporter should output its logs to C:\PRLogFiles and create a new log file when the old one reaches a maximum size of 10,000KB.
When you start the service, Port Reporter creates three separate log files (INITIAL, PORTS, and PIDS) named by date of creation-for example, PR-INITIAL-04-08-28-16-7-19.log, PR-PORTS-04-08-28-16-7-19.log, and PR-PIDS-04-08-28-16-7-19.log.
Port Reporter Parser
Port Reporter provides a wealth of information across the three classes of log files. To help with the daunting process of interpreting and correlating this data from the three files, Microsoft offers a Port Reporter log-file parsing tool.
Download Port Reporter Parser (prparser.exe) from Microsoft (http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe) and extract the file to a folder of your choice. Run the setup program prpsetup.msi, which will install the application into C:\Program Files\Microsoft\PR-Parser. (Prpsetup.msi requires that you first install Windows .NET Framework 1.1.) Run the application, and select a PORTS log file to analyze. Port Reporter Parser opens the file and parses it into a matrix of data, as Figure 4 shows.
At first glance, the data that Port Reporter Parser provides doesn't look that different from an Excel CSV parse, but actually Port Reporter Parser does much more. You can drill down into any log entry to pull detailed corresponding information from the PIDS file. Additionally, you can filter the data or highlight data according to a set of criteria that you define. You can set criteria based on module name, IP address, ports, user accounts, or host name. When you apply the criteria, Port Reporter Parser highlights matching records in red so that they stand out from the others. Additionally, when you drill down to a highlighted entry, Port Reporter Parser warns you that the data has been flagged and displays a customizable notification.
Port Reporter Parser also provides DNS resolution for logged IP addresses and can perform basic statistical breakdowns in the form of Local TCP Port Usage, Process Usage, svchost.exe Enumeration, Remote IP Address Usage, User Context Usage, Port Usage by Hour, and iexplore.exe Usage. These statistics reveal a vast amount of useful information about the computer's network activity. For example, svchost.exe Enumeration uncovers all the services hosted by svchost.exe, a program that mystifies many users by masking applications in Task Manager under the generic name svchost.exe. Figure 5 shows sample log-analysis data for Process Usage, which reports on the number of network connections that different processes make. The program also lets you open the corresponding INITIAL log and apply criteria that highlight certain ports or applications in that log, for example.
Putting It All Together
Like PortQry, Port Reporter and Port Reporter Parser increase visibility into the network activity on your Windows systems and greatly augment your security toolkit. Port Reporter and its essential Port Reporter Parser sidekick provide insight and data analysis of network activity on a particular host over time. These tools expose information and present it in a unique way to help you discover exactly which applications are using your network.