TCPView is a free Microsoft utility to show detailed listings of your network connections.
It can help identify which programs are connecting to the internet and how much data they have sent or received.
Whilst of particular interest to network managers and advanced techs, it can be used by anyone to detect unknown, untoward, misbehaving or data-intensive processes on a network.
How To Install And Use TCPView
Using this program you can identify a malicious process, find out more about unusual processes and temporarily stop unnecessary data heavy processes – especially important if your internet is slow or data-limited e.g. 3G broadband connections.
Windows already includes the Netstat command line program (which is quite complex and can interrogate TCP/UDP endpoints) but TCPView provides a far more informative and easy to read subset of the same information.
Download TCPView from Microsoft’s Sysinternals website here in a zip file.
Extract the zip file and run the Tcpview.exe program to begin – a list of TCP/UDP connections is displayed along with the Process Name, Bytes Received/Sent and Remote Address etc.
The list is dynamic and presents a real time picture i.e. it changes as and when network connections are opened or closed.
By default, it updates every second but you can change the duration via View \ Update Speed in the menubar. IP addresses are resolved to their domain name versions.
Right clicking a Process presents several options:
- Process Properties – shows the filename and full path of the process so you can recognize or research unknown processes
- End Process – (for Advanced users), kill off a process if it is using too much data or is suspicious
- Close Connection – (for Advanced users), only available if the connection is Established
- Whois – opens in a separate window. See who owns the domain registered for a remote address
- Copy – copy the Process and associated details for pasting into a document or file. You can save the whole list by selecting File \ Save As from the menubar.
There is also a brief help file available from the Help menu.
Using TCPView To Find Specific Programs
If you’re looking for unknown applications that may access the internet, the easiest way to see the wood from the trees is to close your web browser and any programs that you know connect to the internet e.g. email program, Skype, antivirus etc.
After a minute or two the number of endpoints will reduce and it becomes easier to identify or monitor specific processes – in my own test, closing the web browser and Outlook resulted in the number of endpoints dropping from a confusing 400+ to a far more manageable 23.
Once you have a sensible number of connections displayed you can monitor the Sent/Received Bytes columns to determine high usage processes or investigate unknown processes to determine if they are valid/required.
For example, i found that TeamViewer (a remote management program which I do have installed) had several open connections to the internet even though I had not yet opened the program.
A bit of Googling revealed that the main Teamviewer service is set to automatically startup with Windows so is running all the time… Once I changed that service from Automatic to Manual it no longer starts up with Windows, only when I run the Teamviewer program, which is better for optimization and probably safer too.
TCPView is easy enough to use and presents detailed information about network connections, making it possible to monitor and identify data intensive or suspicious processes.
Whilst the program is more likely to appeal to advanced users, it’s also interesting for anyone who wants to understand more about their own network – or even just to see how many endpoints a single web page may create.