Using TCPView To Find Programs Using Your Internet Connection
Using this information you can identify a malicious process, find out more about unusual processes and temporarily stop unnecessary data heavy processes – especially important if your internet is slow or data-limited e.g. 3G broadband connections.
Windows already includes the Netstat command line program to interrogate TCP/UDP endpoints but TCPView provides a far more informative and easy to read subset of the same information.
Download TCPView – Download the program from Microsoft’s Sysinternals site here in a zip file. Extract the zip file and run the Tcpview.exe program to begin – a list of TCP/UDP connections is displayed along with the Process Name, Bytes Received/Sent and Remote Address etc.
The list is dynamic and presents a real time picture i.e. it changes as and when connections are opened or closed. By default, it updates every second but you can change the duration via View \ Update Speed in the menubar. IP addresses are resolved to their domain name versions.
Right clicking a Process presents several options:
- Process Properties – shows the filename and full path of the process so you can recognize or research unknown processes.
- End Process – (for Advanced users), kill off a process if it is using too much data or is suspicious.
- Close Connection – (for Advanced users), only available if the connection is Established.
- Whois – opens in a separate window. See who owns the domain registered for a remote address.
- Copy – copy the Process and associated details for pasting into a document or file. You can save the whole list by selecting File \ Save As from the menubar.
There is also a brief help file available from the Help menu.
Using TCPView – If you’re looking for unknown applications that may access the internet, the easiest way to see the wood from the trees is to close your browser and any programs that you know connect to the internet e.g. email program, Skype etc.
After a minute or two the number of endpoints will reduce and it becomes easier to identify or monitor specific processes – in my own test, closing the browser and Outlook resulted in the number of endpoints dropping from a confusing 400+ to a far more manageable 23.
Once you have a sensible number of connections displayed you can monitor the Sent/Received Bytes columns to determine high usage processes or investigate unknown processes to determine if they are valid/required.
TCPView is easy enough to use and presents detailed information about network connections, making it possible to monitor and identify data intensive or suspicious processes.
Whilst the program is more likely to appeal to advanced users, it’s also interesting for anyone who wants to understand more about their network – or even just to see how many endpoints a single web page may create.