TCPView Professional User's Guide Winternals Software LP 3101 Bee Caves Road, Suite 150 Austin, Texas 78746 (512) 330-9130 (512) 330-9131 Fax www.winternals.com Copyright © 2003 Winternals Software LP TCPView Professional User's Guide Table of Contents 1 2 3 Introduction ...................................................................................1 Requirements ................................................................................2 Overview of TCP/IP .......................................................................3 3.1 3.2 TCP ................................................................................................. 3 UDP................................................................................................. 4 4 Using TCPView Professional .......................................................5 4.1 4.2 The Static View ............................................................................... 5 The Dynamic View .......................................................................... 5 5 The Static View ..............................................................................6 5.1 5.2 5.3 5.4 Interpreting the Output .................................................................... 6 Showing Only Connected Endpoints............................................... 7 Controlling the Refresh Rate........................................................... 7 Sorting............................................................................................. 8 6 The Dynamic View.........................................................................9 6.1 6.2 6.3 Interpreting the Dynamic View ........................................................ 9 Controlling Updates....................................................................... 10 Sorting........................................................................................... 10 7 8 DNS Name Resolution ................................................................11 Filtering and Highlighting...........................................................12 8.1 8.2 8.3 Include and Exclude Filters ........................................................... 13 Dynamic Filters ............................................................................. 14 Highlight Filters ............................................................................. 15 9 Searching.....................................................................................16 10 Saving and Printing.....................................................................17 11 Using the Clipboard ....................................................................18 12 Customizing the Font..................................................................19 Winternals Software Page i TCPView Professional User's Guide 13 Customzing Toolbars and Menus ..............................................20 13.1 13.2 13.3 13.4 Creating and Deleting Toolbars .................................................... 21 Deleting and Rearranging Toolbar Items ...................................... 21 Adding Items to a Toolbar ............................................................. 22 Controlling Menu Behavior............................................................ 22 14 Using TCPVStat ...........................................................................23 15 Frequently Asked Questions......................................................24 16 Sales.............................................................................................26 17 Technical Support .......................................................................27 Winternals Software Page ii TCPView Professional User's Guide 1 Introduction Welcome to TCPView Professional. TCPView Professional allows you to monitor TCP/IP network activity on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows 9x systems. Unlike builtin TCP/IP monitoring tools that come with Windows (such as netstat), TCPView Professional shows you which process is associated with each TCP/IP address, making it easy to determine what application is responsible for specific connections and activity. TCPView Professional also lets you see TCP/IP activity by process in real-time, a feature not available with any other utility. These features make TCPView Professional a uniquely powerful tool for networking and application troubleshooting. TCPView Professional also lets you see the amount of data sent and received over a network connection, which makes it a useful tool for performance diagnostics. Finally, TCPView Professional offers a range of configuration options that let you auto-refresh its display, save output to a file, and filter and highlight entries by process, IP address, or port. TCPView Professional's capabilities let you: · · Determine which process has an address opened See what remote network addresses suspicious applications are accessing Obtain detailed statistics on the amount of data sent and received over a connection Watch an application's TCP/IP activity in real-time Save TCP/IP activity logs and connection information to file Filter the data captured so that you only see accesses performed by a specific process, or that involve particular local or remote addresses · · · · Winternals Software Page 1 TCPView Professional User's Guide 2 Requirements TCPView Professional runs on the following operating systems: · · · · · · · · Windows 95 Windows 95 OSR2 Windows 98 Windows 98 Second Edition Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003 If you run TCPView Professional on Windows 95 you will need the following: · COMCTL32.DLL version 4.7 or higher. You can obtain such a version with either Internet Explorer 4.0 or Internet Explorer 5.0, available for free download from the Microsoft web site. The Windows 95 WinSock 2 Update. This is also available for download from Microsoft web site. · Winternals Software Page 2 TCPView Professional User's Guide 3 Overview of TCP/IP TCP/IP actually consists of three protocols: TCP (Transmission Control Protocol), UDP (Unreliable Datagram Protocol) and IP (Internet Protocol). UDP and TCP use IP as their foundation. This section provides a brief (and simplified) description of TCP and UDP. 3.1 TCP TCP offers connect-oriented, reliable communications. A TCP session is initiated by a process allocating a TCP endpoint (object) and assigning it an IP address and port number. The IP address of course must be one local to the computer. Local IP addresses can be specified in three different ways: · · · as 0.0.0.0 as 127.0.0.1 or as an IP address assigned to the computer (e.g. 209.233.4.14) A process can either explicitly specify a port number or let the TCP/IP stack assign one for it. A process typically specifies a port number if it provides a service that has a defined port number associated with it. For example, a web server uses port 80 because that port number is defined as being the http port, and internet browsers by default attempt connections to that port number. After assigning an address/port-pair the process can either initiate a connection to a remote endpoint or wait for incoming connections. An attempt to connect with a remote endpoint is called a connect request, and the process specifies the remote endpoint's address/port-pair. When a process waits for a connection, it listens for incoming connection requests. In order to listen it must define connection endpoints that it can, and if it wishes to establish a connection when a connection request arrives it accepts the connection with another TCP endpoint. Thus, the listen endpoint Winternals Software Page 3 TCPView Professional User's Guide remains in the listen state as long as one or more un-connected connection objects exist for the listen endpoint. A TCP session is terminated when either end of a connection performs a disconnect operation. 3.2 UDP UDP provides for unreliable, connectionless communications. It also allows for broadcast capability. A UDP session is initiated when a process creates a UDP endpoint. As for TCP endpoints, the process can either explicitly assign a port number or let the TCP/IP stack assign one. The address format is the same as for TCP. Since UDP is connectionless, a process does not need to establish a connection before sending or receiving messages - it can immediately begin sending and receiving messages. However, it must specify the address/portpair whenever it sends (the remote address/port-pair is defined by a connection for a TCP send). A UDP session ends when a process closes its UDP endpoint. Winternals Software Page 4 TCPView Professional User's Guide 4 Using TCPView Professional When you launch the GUI tool you are presented with two sub-windows: · · Static View - shows a snapshot of endpoints active on the system Dynamic View - shows real-time TCP/IP activity You can use the tab key to move between views. 4.1 The Static View The top sub-window is the static view. The static view shows you a snapshot of the existing TCP/IP endpoints on the system. For example, if a program opens UDP port 3200 and specifies local IP address 0.0.0.0, you will see a line in the static view with the name of the process, UDP as the protocol, and "0.0.0.0:3200" as the local address. The remote address will be listed as "*.*" since the UDP protocol does not support connections. The static view also shows the number of messages and bytes sent and received in the sent and received columns. The number of messages and bytes transferred are separated with a forward slash. 4.2 The Dynamic View The dynamic view presents a real-time view of the TCP/IP activity on the system. Each line represents a different event and the information that TCPView Professional shows for the event includes the event type (send, disconnect, etc.) the time of the event, the event's status, the local and (if applicable) remote address/port-pairs of the endpoint on which the event took place, and the number of bytes sent or received. Winternals Software Page 5 TCPView Professional User's Guide 5 5.1 The Static View Interpreting the Output The following screen demonstrates the different types of entries you may see in the static view: The columns are defined as follows: · · · Process: the name of the process that owns the endpoint. Protocol: the protocol of the endpoint, either UDP or TCP. Local Address: the local IP address/port-pair of the endpoint. If DNS name resolution is toggled on then the address is shown by name, otherwise it is shown numerically. Remote Address: the remote IP address/port-pair of the endpoint, if applicable. Only TCP endpoints can have this field defined with an address. UDP endpoints show "*.*" and TCP endpoints that are not connected show "LISTENING" Sent: the number of messages and bytes sent on an endpoint. The number of messages are shown first, with a slash separating the two numbers. Received: the number of messages and bytes received on an endpoint. The number of messages are shown first, with a slash separating the two numbers. · · · The first two lines in the sample screen are UDP endpoints, which is the reason that the remote address for these endpoints is shown as "*.*; UDP Winternals Software Page 6 TCPView Professional User's Guide endpoints are connectionless, so they are not associated with any particular remote address. Note that process services.exe (the Windows NT/Windows 2000 Service Control Manager) has sent 1688 messages totalling 91877 bytes over UDP endpoint DUAL:nbname. The next four entries are connected TCP endpoints. For instance, process RPSS (the Remote Procedure Call Subsystem) has TCP endpoint DUAL:1026 connected to endpoint DUAL:1025. Finally, the last line is a TCP endpoint that is not connected. Instead, it is in the listening state, where the process is waiting for incoming connection requests from remote addresses. 5.2 Showing Only Connected Endpoints TCPView Professional shows all endpoints, including UDP, TCP connected endpoints, and TCP unconnected endpoints. However, you can toggle the show all endpoints button , or the Options|Show All menu entry, to have TCPView Professional only show connected TCP endpoints. TCPView Professional's default behavior corresponds to the Windows netstat command's -a option. 5.3 Controlling the Refresh Rate By default TCPView Professional refreshes the contents of the static view once every second. To change the refresh rate use the Configure|Refresh Rate menu entry. Winternals Software Page 7 TCPView Professional User's Guide To completely disable refreshing, you can either set the refresh rate to 0, or you can press the Freeze button: . While the refresh is frozen you can . manually refresh the static view with the Refresh button 5.4 Sorting You can sort the static view by any column by clicking o ...