Score:0

Server

How to see which ports a process is using?

NinjaLlama

9/4/23, 1:58 AM

While testing our software, a large corporate customer was able to detect the third-party licensing software using port 137.

Up until this point we have only been aware of the license software using port 443.

I have looked into this with netstat, Get-NetTCPConnection, and TCPView but I can only find process activity on port 443.

When I asked the licensing company about this they acknowledged they use 137 to get the UUID for certain license types.

I am inexperienced with networking and hope that you can tell me how to see this behavior for myself.

140

0 + 0

networking

windows

monitoring

port

joeqwerty

9/4/23, 2:55 AM

`1.` The customer has said they saw this behavior and the licensing company said that it's true. Why do you need to see it for yourself? `2.` What does the customer want you to do about it?

NinjaLlama

9/4/23, 3:01 AM

1. I want to see it because I was not aware it was being used. Don't want to be blindsided by our software doing things we don't expect again. 2. The customer will not allow this port to be used.

dave_thompson_085

9/5/23, 2:52 AM

Port 137 is netbios-ns (netbios name service) and although both TCP and UDP are reserved Windows only uses UDP, so you will never see a 'connection' using this port (UDP doesn't have connections). `netstat -nao` or tcpview with 'show unconnected endpoints' _on_ (and preferably 'resolve addresses' off) should show it; they do on my system (W10 home). However, use of this service goes through pseudo-process 4 (System) so I don't think you'll see what program(s) are using it.

Tilman Schmidt

9/5/23, 10:36 PM

You need to be more specific on what you mean by the software "using a port". It can be interpreted either as "accepting connections on the port", or "making connections to that port on some other service", or both. Depending on which meaning you are referring to, you need different tools, and you may miss the second case altogether because the use may depend on specific conditions.

NinjaLlama

9/7/23, 7:03 PM

@TilmanSchmidt It is sending packets through port 137. I was able to see it using SmartSniff while stepping through the software execution.

Tilman Schmidt

9/7/23, 10:40 PM

That doesn't make sense. A port is nothing you "send" packets "through". It is an attribute on the source or destination side of a TCP connection. It is an essential difference whether an application is accepting incoming connections on a port, or making outgoing connections to a port.

NinjaLlama

9/8/23, 2:37 PM

It may not make sense because I don't understand what I'm talking about. After a little bit of research I believe it is making outgoing connections. Port 137 is not open on the firewalls or routers but I am picking up packets using SmartSniff. This leads me to believe that since I am detecting packets that they are outgoing because I do not think they could be incoming due to the closed port.

Score:0

Server

RobW

9/5/23, 1:09 AM

Nirsoft.net has a tool for this called Smart Sniff. You should have NPCap or WinPcap installed to use it. SmartSniff records each connection your computer makes, and displays one line per connection. In the Remote port column, you should at some point, see a connection to some host on port 137, and which process initiated that connection. There are filtering options as well as other configuration options which may reveal what you are looking for.

By default, it does not capture process information, so you'll need to configure it:

After NPCap is installed, launch SmartSniff.
Hit F6 to halt active captures
Open Options menu:
- Select 'Capture options' at bottom
- If necessary, change to 'WinPcap Packet Capture Driver' and close menu
Open Options menu:
- Select 'Retrieve process information while capturing packets' and click OK.
Hit F5 to start capturing again. SmartSniff looks like this:

0 + 0

NinjaLlama

9/6/23, 1:34 AM

Thanks for the detailed response. I have followed this and see the same port 443 usage that I saw before, and expected. I have no idea where they are finding this port 137 usage.

NinjaLlama

9/7/23, 3:53 PM

After lengthy diagnosing I was able to use this tool to find that my netbios-ns traffic occurs after a pdf has finished loading in a WebBrowser control. Now to just figure out why this is happening and if I can stop it.

Score:0

Server

Manu

9/4/23, 6:07 AM

U can use the Ressource Monitor. It will show every TCP connection and which program is listening on which port.

Alternative would be to use netstat in command prompt.

0 + 0

NinjaLlama

9/4/23, 11:57 AM

Ok, I will try Resource Monitor to detect this behavior. I have already tried netstat and was unable to see any port 137 usage from this software.

NinjaLlama

9/5/23, 12:15 AM

I have started resource monitor and ran the application. I still only see port 443 on this as well as netstat again.

Score:0

Server

Mohammed Almudhafar

9/5/23, 10:09 PM

Try this tool crowdinspect

This app is a Host-Based Process Inspection tool for maleware analysis purposes Screenshot, it has live\History process network activity monitoring, hope it helps :).