Using netstat with TCPEye and CurrPorts
Several of the programs described in this blog (such as SamSpade, SuperScan, and LanSpy) are basically graphical front ends for issuing common network query and diagnostic commands, and displaying their results. The aforementioned tools make it easy to use commands like ping, traceroute, nslookup, whois and others, and the results of these commands are presented in easy-to-read formats.
Two popular graphical interfaces for the netstat command are TCPEye and Currports. To properly utilize these tools, you need to first understand the function of the netstat command. Netstat displays protocol statistics and the current TCP/IP connections of the computer on which it was invoked.
TCPEye by TCPMonitor is one of the most popular items in Download.com’s Network Tools category. Version 1.0 was released in February 2010 and was the most recent release at the time of writing. TCPEye appears to perform the netstat -b -n -a -P TCP command (or something similar) and it then displays the results graphically. It then gives you the ability to perform whois and GeoIP lookups on the remote IP addresses.
The real value of a utility like TCPEye is revealed when you compare the results of the netstat command in a command line environment, such as Windows Powershell, with the results of netstat performed within TCPEye. Here are screenshots of netstat performed in the command line and in the graphical utility.
In my opinion the netstat results are far easier to view and work with in TCPEye than in Windows PowerShell or the Windows command prompt. TCPEye presents the data in the following columns:
- Process – the process that is using a TCP/IP connection, such as firefox.exe.
- Local Address – this is the socket (IP address and port number) on your computer that the process is using, such as 192.168.1.10:1032.
- Remote Address – this is the socket (IP address and port number) of the destination host that is talking with your computer, such as 220.127.116.11:443.
- State – the state of the TCP/IP connection between the local and remote hosts. The state can be Established, Time_Wait, Syn_Sent, Fin_Wait, Close_Wait.
- Protocol – the protocol in use for the connection, such as TCPv4 or TCPv6.
- Country – the country of origin of the remote address.
- Process Path – the path to the process executable, such as C:Program Files\Mozilla Firefox\firefox.exe.
- Product Name – the recognized name of the application using the process, such as ‘Firefox’ or ‘Microsoft Office Word’ for winword.exe.
- Company Name – the software vendor.
- File Description – usually the same as the product name.
- File Version – the exact version of the process executable. You can find this by right-clicking the .exe file and looking at Properties.
A very similar tool to TCPEye is CurrPorts by NirSoft. CurrPorts is like TCPEye on steroids. Unlike TCPEye, CurrPorts is portable (doesn’t need to be installed; can be run by just launching cports.exe) and it offers more features and options, as shown below.
In addition to HTML report generation, CurrPorts also offers extensive command line and logging options, as described on its download page. Nirsoft has published quite a few additional networking tools, including a packet sniffer, WLAN detector, and graphical tools for ping, DNS, whois, etc.
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book or two using the links below. Thanks!