Watching Ports with Port Reporter
by Mitch Tulloch,author of Windows Server Hacks07/19/2005
Port Reporter is another cool tool from Redmond. It runs as a service in Windows XP/2003 (and also in Windows 2000 but with less functionality) and records information about which TCP and UDP ports are active on your system. Port Reporter also tells you the Windows processes that are using these ports and the security context under which each process is running. You can use Port Reporter to monitor port usage for security reasons and for troubleshooting network connectivity problems.
To get started with Port Reporter, you first need to download it from the Microsoft Download Center. After extracting the files in the zipped download package, run pr-setup.exe to install portreporter.exe as a Windows service, making sure you've closed all administrative consoles first. Once the tool is installed, it shows up in the Services console as a service named Port Reporter with a Manual startup type and in an initial Stopped state.
Figure 1. Initial state of the Port Reporter service after installation
Right-click on the service and select Start to start it. Once the service is running, three log files are created in the directory %SystemRoot%\System32\LogFiles\PortReporter:
Figure 2. Log files created by Port Reporter
The PR-INITIAL log (the actual filename includes a suffix that identifies the date and time that the file was created) summarizes the ports, processes, and modules running on your machine when Port Reporter is started. This log can be quite long but very informative. On a test machine running Windows XP SP2, the first part of the log looks like this:
Port Reporter Version 1.01 Log File
Service initialization log
System Date: Wed Jul 06 13:44:04 2005
Local computer name:
TEST
Operating System: Windows XP
TCP/UDP Port to Process Mappings at service start-up
15 mappings found
PID:Process Port Local IP State Remote IP:Port
4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
4:System TCP 139 172.16.16.150 LISTENING 0.0.0.0
4:System UDP 445 0.0.0.0 *:*
4:System UDP 137 172.16.16.150 *:*
4:System UDP 138 172.16.16.150 *:*
392:alg.exe TCP 1025 127.0.0.1 LISTENING 0.0.0.0
932:lsass.exe UDP 500 0.0.0.0 *:*
932:lsass.exe UDP 4500 0.0.0.0 *:*
1196:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
1308:svchost.exe UDP 123 127.0.0.1 *:*
1308:svchost.exe UDP 123 172.16.16.150 *:*
1460:svchost.exe UDP 1029 0.0.0.0 *:*
1460:svchost.exe UDP 1049 0.0.0.0 *:*
1500:svchost.exe UDP 1900 127.0.0.1 *:*
1500:svchost.exe UDP 1900 172.16.16.150 *:*
After this comes detailed information for each process identified above, which in this particular case is almost 50 pages of text.
|
Related Reading Windows XP Hacks |
Pages: 1, 2 |
