Skip navigation

2 Simple Commands Let You Match TCP Connections With Processes

In many situations, it's helpful to identify which TCP connections are associated with which processes on a computer. With this information, you can determine whether a TCP connection is valid or unauthorized, determine whether a connection that's been active for a long time should be disconnected, or troubleshoot other types of problems.

You can use two simple commands to quickly match TCP connections with processes. First, you use the following Netstat command:

netstat -aenos -p tcp 

In the output, you need to locate the Active Connections section. As Figure 1 shows, this section includes the Foreign Address, State, and PID columns. The Foreign Address column contains the TCP/IP address and port (which appears after the colon) of the remote computer to which the local computer is connected. The State column specifies the connection's state when the Netstat command executed. The PID column shows the process identifier (PID) associated with the TCP connection.

The PID is the information you're after, but few people can identify a process by its PID. To get the name of the process, you can run the following Tasklist command:

tasklist /v /fo List /fi "pid eq xxx" 

where xxx is the PID. As Figure 2 shows, the output includes the process's image name (e.g., iexplore. exe) and display name (e.g., Microsoft Internet Explorer).
—Fritz Shad

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.