How do I find out which program and process ID accesses a given IP address in Windows?

19

9

Is it possible to catch, which program is accessing a specific IP address?

I found my computer is flooding and wish to check addresses one by one.

May be it is possible to set up some audit for this?

Dims

Posted 2015-02-14T12:04:29.380

Reputation: 8 464

Answers

31

TCPView Solution

TCPView from SystemInternals will display "detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections."

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.

enter image description here

  • Make sure you have "Resolve Addresses" unticked to get IP Addresses instead of Domain Names.

    enter image description here

You can sort the results by "Remote Address" to find the IP Address you are interested in.

Example:

  • This screenshot shows Firefox connecting to stackoverflow.com.

    enter image description here

CurrPorts Solution

CurrPorts from Nirsoft provides very similar functionality.

CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.

enter image description here

Example:

  • This screenshot shows Firefox connecting to stackoverflow.com.

    enter image description here

What if I want to log the results?

TcpLogView also from Nirsoft provides logging of TCP connnections.

TcpLogView is a simple utility that monitors the opened TCP connections on your system, and adds a new log line every time that a TCP connection is opened or closed. For every log line, the following information is displayed: Even Time, Event Type (Open, Close, Listen), Local Address, Remote Address, Remote Host Name, Local Port, Remote Port, Process ID, Process Name, and the country information of the Remote IP (Requires to download IP to country file separately.)

enter image description here

Disclaimer

I am not affiliated with SystemInternals (part of Microsoft) or Nirsoft in any way, I am just an end user of their (free) utilities.

DavidPostill

Posted 2015-02-14T12:04:29.380

Reputation: 118 938

I am afraid it is impossible to catch few packets this way, since it is disappearing fast. I need logging. – Dims – 2015-02-14T12:34:12.243

Imagine I wish to catch who is sending packets to 88.221.132.207. How to see that? This application even has no search or filtering capabilities. I.e. I even will be unable to catch it by eye if it is disappearing fast. – Dims – 2015-02-14T12:38:18.663

1

Then you probably need a packet sniffer like Wireshark

– DavidPostill – 2015-02-14T12:41:23.397

1Wireshark does not show process ID. I need to know (1) process (2) IP; both – Dims – 2015-02-14T12:42:40.637

6@Dims Use TCPLogView also from Nirsoft. Answer updated – DavidPostill – 2015-02-14T12:54:13.317

8

In Windows 7/8*/10 you can use Resource Monitor -> Network Tab.

Easiest way to open the resource monitor is:

  • Open Task Manager (right taskbar -> Start Task Manager)
  • Click Performance tab
  • Click Resource Monitor button

Resource Monitor -> Network

* = unconfirmed

Salman A

Posted 2015-02-14T12:04:29.380

Reputation: 1 318

2

You can achieve this without downloading additional tools from an admin command shell as well.

Run an admin command shell:

  • Press start button
  • Type "cmd"
  • Press Ctrl + Shift + Enter

Enter the command: netstat -tabn

The switches mean the following:

  • -t Displays the current connection offload state.
    • ie. ESTABLISHED, LISTENING, TIME_WAIT
  • -a Displays all connections and listening ports.
  • -b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executablen ame is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.
  • -n Displays addresses and port numbers in numerical form.

This admittedly isn't nearly as sophisticated as the output achieved by the many GUI options but it is present and available without downloading additional tools. It works on Linux too with slightly different switches.

antik

Posted 2015-02-14T12:04:29.380

Reputation: 269

1

As antik said, you can use netstat from within an admin command prompt. I'd suggest, though, that you use o instead of b, that way the output will be on one line for an entry and you can further filter it with find. You won't have the process name, but the process id:

E.g.

netstat -aon | find ":80"

displays all connections using port 80 (either locally or remotely)

You could then check that process in Task Manager or do another filter in the command prompt, using tasklist this time:

tasklist | find "1100"

or

tasklist /FI "PID eq 1100"

Razvan Popa

Posted 2015-02-14T12:04:29.380

Reputation: 11

Asked: 2015-02-14T12:04:29.380

Viewed: 60 122 times

Active: 2019-02-12T13:21:09.430