TCPView questions

  • Thread starter Thread starter Virus Guy
  • Start date Start date
V

Virus Guy

I can't find any documentation on TCPView of examples of expected or
normal output.

Looking at TCPView's display, I see the following:

Protocal Local Address Remote Address State

TCP (TCP Host name):1222 (TCP Host name):0 LISTENING
TCP (TCP Host name):1059 (TCP Host name):0 LISTENING
TCP (TCP Host name):1058 (TCP Host name):0 LISTENING
TCP (TCP Host name):1057 (TCP Host name):0 LISTENING
TCP (TCP Host name):1056 (TCP Host name):0 LISTENING

Where (TCP Host name) is my host name as set in TCP/IP properties
under host name.

I see the above even when I close all browser windows. What's up with
them?

I also see these:

TCP 192.168.1.5:nbsession (TCP Host name):0 LISTENING
UDP 192.168.1.5:nbname *:*
UDP 192.168.1.5:nbdatagram *:*
TCP 192.168.1.5:138 (TCP Host name):0 LISTENING
TCP 192.168.1.5:137 (TCP Host name):0 LISTENING

Where 192.168.1.5 is my local IP address.
 
I can't find any documentation on TCPView of examples of expected or
normal output.

Looking at TCPView's display, I see the following:

Protocal Local Address Remote Address State

TCP (TCP Host name):1222 (TCP Host name):0 LISTENING
TCP (TCP Host name):1059 (TCP Host name):0 LISTENING
TCP (TCP Host name):1058 (TCP Host name):0 LISTENING
TCP (TCP Host name):1057 (TCP Host name):0 LISTENING
TCP (TCP Host name):1056 (TCP Host name):0 LISTENING

Where (TCP Host name) is my host name as set in TCP/IP properties
under host name.

I see the above even when I close all browser windows. What's up with
them?

I also see these:

TCP 192.168.1.5:nbsession (TCP Host name):0 LISTENING
UDP 192.168.1.5:nbname *:*
UDP 192.168.1.5:nbdatagram *:*
TCP 192.168.1.5:138 (TCP Host name):0 LISTENING
TCP 192.168.1.5:137 (TCP Host name):0 LISTENING

Where 192.168.1.5 is my local IP address.
Click to expand...

For Win 2K and XP, here's a detailed explanation of normal services
and their port number assignments :

http://www.hsc.fr./ressources/breves/min_srv_res_win.en.html

What you will see using netstat on a clean default install depends on
your version of Windows.

I like the command line utility fport from foundstone.com which maps
endoints. You can see which app or program is acting as a server and
keeping a port open.

Art
http://home.epix.net/~artnpeg
 
Virus Guy said:
I can't find any documentation on TCPView of examples of expected or
normal output.

Looking at TCPView's display, I see the following:

Protocal Local Address Remote Address State

TCP (TCP Host name):1222 (TCP Host name):0 LISTENING
TCP (TCP Host name):1059 (TCP Host name):0 LISTENING
TCP (TCP Host name):1058 (TCP Host name):0 LISTENING
TCP (TCP Host name):1057 (TCP Host name):0 LISTENING
TCP (TCP Host name):1056 (TCP Host name):0 LISTENING

Where (TCP Host name) is my host name as set in TCP/IP properties
under host name.

I see the above even when I close all browser windows. What's up with
them?
Click to expand...

I don't claim to be an expert at anything, but AFAIK a persistent TCP
connection to port 0 on the Remote Address (as in (TCP Host name):0 above)
is normally associated with a variety of (mostly internal) housekeeping
tasks. In the majority of cases, you won't have to worry about them.
I also see these:

TCP 192.168.1.5:nbsession (TCP Host name):0 LISTENING
UDP 192.168.1.5:nbname *:*
UDP 192.168.1.5:nbdatagram *:*
TCP 192.168.1.5:138 (TCP Host name):0 LISTENING
TCP 192.168.1.5:137 (TCP Host name):0 LISTENING

Where 192.168.1.5 is my local IP address.
Click to expand...

These fall into the same category. They are associated with NETBIOS and
indicate that you have NETBIOS turned on, but that it is not currently
being used across the network. If your computer were to actually be using
NETBIOS across the network (as in file/printer sharing, etc), then you
would see the port 0 change to a different port number.

When it comes to TCPView, open TCP connections like these are considered
to have Unconnected Endpoints. They are there on your system, but not
actually being used to move any data. You can go to the Options menu,
uncheck the Show Unconnected Endpoints option and these entries will be
filtered out.
 
For Win 2K and XP, here's a detailed explanation of normal services
and their port number assignments :

http://www.hsc.fr./ressources/breves/min_srv_res_win.en.html

What you will see using netstat on a clean default install depends on
your version of Windows.

I like the command line utility fport from foundstone.com which maps
endoints. You can see which app or program is acting as a server and
keeping a port open.
Click to expand...

Personally, I prefer TCPView. It shows the calling app, PID, local and
remote address:port and current state. Unfortunately, it doesn't show
Rawsockets though. For that, I've found the Open Ports viewer in Agnitum's
Outpost firewall app comes in handy.
 
Virus Guy said:
I can't find any documentation on TCPView of examples of expected or
normal output.

Looking at TCPView's display, I see the following:

Protocal Local Address Remote Address State

TCP (TCP Host name):1222 (TCP Host name):0 LISTENING
TCP (TCP Host name):1059 (TCP Host name):0 LISTENING
TCP (TCP Host name):1058 (TCP Host name):0 LISTENING
TCP (TCP Host name):1057 (TCP Host name):0 LISTENING
TCP (TCP Host name):1056 (TCP Host name):0 LISTENING

Where (TCP Host name) is my host name as set in TCP/IP properties
under host name.

I see the above even when I close all browser windows. What's up with
them?

I also see these:

TCP 192.168.1.5:nbsession (TCP Host name):0 LISTENING
UDP 192.168.1.5:nbname *:*
UDP 192.168.1.5:nbdatagram *:*
TCP 192.168.1.5:138 (TCP Host name):0 LISTENING
TCP 192.168.1.5:137 (TCP Host name):0 LISTENING

Where 192.168.1.5 is my local IP address.
Click to expand...

http://support.microsoft.com/default.aspx?scid=kb;EN-US;172218

Long

http://technet2.microsoft.com/WindowsServer/en/Library/db3f617d-698e-4741-96df-bc3669a9528f1033.mspx

Short

http://tinyurl.com/ph2uz

As far as the NetBIOS stuff above, on that you seem to be behind a router.
So what difference does it make, since those ports are being protected from
the WAN by the router and the router allows the Windows machine to network
on the LAN?

If you don't want the machine to network on the LAN, then you remove Client
for MS Networks and MS File and Print Sharing service off the NIC and TCP
137, 138 , 139 and 445 are closed -- no networking.

Duane :)
 
Duane said:
If you don't want the machine to network on the LAN, then you
remove Client for MS Networks and MS File and Print Sharing
service off the NIC and TCP 137, 138 , 139 and 445 are closed
-- no networking.
Click to expand...

I do have the network settings set to Client for MS networks, with
both NetBeui and TCP bound to it (I'm under the impression that unless
I bind TCP/IP to the "Client for MS Networks" that I won't have any
TCP/IP functionality (ie no web browsing). I occasionally dial into
an office network, hence the reason for the "Client for MS networks"
setting.

Will apps that need TCP/IP still work if I un-bind TCP/IP from "Client
for MS networks" ? I guess I can try it.

I do not have File an Print Sharing turned on. On some office PC's
(running 98) that are sharing files, Netbeui (not TCP) is bound to the
file-sharing.
 
Virus Guy said:
I do have the network settings set to Client for MS networks, with
both NetBeui and TCP bound to it (I'm under the impression that unless
I bind TCP/IP to the "Client for MS Networks" that I won't have any
TCP/IP functionality (ie no web browsing).
Click to expand...

All you need for sending/receiving emails or Web browsing with such
applications is the TCP/IP protocol on the NIC.

Client for MS Networks is for networking with other MS machines in a LAN
situation and has nothing to do with the WAN/Internet.
I occasionally dial into
an office network, hence the reason for the "Client for MS networks"
setting.
Ok.

Will apps that need TCP/IP still work if I un-bind TCP/IP from "Client
for MS networks" ? I guess I can try it.
Click to expand...

I would say on your job's LAN you will need it. But for a home situation
where you don't want to network with other machines on the LAN or you have a
single machine that has a direct connection to the modem, then should remove
MS Client and MS F&PS off the NIC. You don't want them on a direct
connection you don't want to network with another MS on the WAN/Internet.

I do not have File an Print Sharing turned on. On some office PC's
(running 98) that are sharing files, Netbeui (not TCP) is bound to the
file-sharing.
Click to expand...

Ok.

Duane :)
 
Back
Top