Score:0

How to see which ports a process is using?

it flag

While testing our software, a large corporate customer was able to detect the third-party licensing software using port 137.

Up until this point we have only been aware of the license software using port 443.

I have looked into this with netstat, Get-NetTCPConnection, and TCPView but I can only find process activity on port 443.

When I asked the licensing company about this they acknowledged they use 137 to get the UUID for certain license types.

I am inexperienced with networking and hope that you can tell me how to see this behavior for myself.

joeqwerty avatar
cv flag
`1.` The customer has said they saw this behavior and the licensing company said that it's true. Why do you need to see it for yourself? `2.` What does the customer want you to do about it?
NinjaLlama avatar
it flag
1. I want to see it because I was not aware it was being used. Don't want to be blindsided by our software doing things we don't expect again. 2. The customer will not allow this port to be used.
dave_thompson_085 avatar
jp flag
Port 137 is netbios-ns (netbios name service) and although both TCP and UDP are reserved Windows only uses UDP, so you will never see a 'connection' using this port (UDP doesn't have connections). `netstat -nao` or tcpview with 'show unconnected endpoints' _on_ (and preferably 'resolve addresses' off) should show it; they do on my system (W10 home). However, use of this service goes through pseudo-process 4 (System) so I don't think you'll see what program(s) are using it.
Tilman Schmidt avatar
bd flag
You need to be more specific on what you mean by the software "using a port". It can be interpreted either as "accepting connections on the port", or "making connections to that port on some other service", or both. Depending on which meaning you are referring to, you need different tools, and you may miss the second case altogether because the use may depend on specific conditions.
NinjaLlama avatar
it flag
@TilmanSchmidt It is sending packets through port 137. I was able to see it using SmartSniff while stepping through the software execution.
Tilman Schmidt avatar
bd flag
That doesn't make sense. A port is nothing you "send" packets "through". It is an attribute on the source or destination side of a TCP connection. It is an essential difference whether an application is accepting incoming connections on a port, or making outgoing connections to a port.
NinjaLlama avatar
it flag
It may not make sense because I don't understand what I'm talking about. After a little bit of research I believe it is making outgoing connections. Port 137 is not open on the firewalls or routers but I am picking up packets using SmartSniff. This leads me to believe that since I am detecting packets that they are outgoing because I do not think they could be incoming due to the closed port.
Score:0
cn flag

Nirsoft.net has a tool for this called Smart Sniff. You should have NPCap or WinPcap installed to use it. SmartSniff records each connection your computer makes, and displays one line per connection. In the Remote port column, you should at some point, see a connection to some host on port 137, and which process initiated that connection. There are filtering options as well as other configuration options which may reveal what you are looking for.

By default, it does not capture process information, so you'll need to configure it:

  • After NPCap is installed, launch SmartSniff.
  • Hit F6 to halt active captures
  • Open Options menu:
    • Select 'Capture options' at bottom
    • If necessary, change to 'WinPcap Packet Capture Driver' and close menu
  • Open Options menu:
    • Select 'Retrieve process information while capturing packets' and click OK.
  • Hit F5 to start capturing again. SmartSniff looks like this:

.

NinjaLlama avatar
it flag
Thanks for the detailed response. I have followed this and see the same port 443 usage that I saw before, and expected. I have no idea where they are finding this port 137 usage.
NinjaLlama avatar
it flag
After lengthy diagnosing I was able to use this tool to find that my netbios-ns traffic occurs after a pdf has finished loading in a WebBrowser control. Now to just figure out why this is happening and if I can stop it.
Score:0
us flag

U can use the Ressource Monitor. It will show every TCP connection and which program is listening on which port.

Alternative would be to use netstat in command prompt.

NinjaLlama avatar
it flag
Ok, I will try Resource Monitor to detect this behavior. I have already tried netstat and was unable to see any port 137 usage from this software.
NinjaLlama avatar
it flag
I have started resource monitor and ran the application. I still only see port 443 on this as well as netstat again.
Score:0
gr flag

Try this tool crowdinspect

This app is a Host-Based Process Inspection tool for maleware analysis purposes Screenshot, it has live\History process network activity monitoring, hope it helps :).

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.