User manual WINTERNALS TCPVIEW PROFESSIONAL

TCPView Professional User's Guide Winternals Software LP 3101 Bee Caves Road, Suite 150 Austin, Texas 78746 (512) 330-9130 (512) 330-9131 Fax www.winternals.com Copyright © 2003 Winternals Software LP TCPView Professional User's Guide Table of Contents 1 2 3 Introduction ...................................................................................1 Requirements ................................................................................2 Overview of TCP/IP .......................................................................3 3.1 3.2 TCP ................................................................................................. 3 UDP................................................................................................. 4 4 Using TCPView Professional .......................................................5 4.1 4.2 The Static View ............................................................................... 5 The Dynamic View .......................................................................... 5 5 The Static View ..............................................................................6 5.1 5.2 5.3 5.4 Interpreting the Output .................................................................... 6 Showing Only Connected Endpoints............................................... 7 Controlling the Refresh Rate........................................................... 7 Sorting............................................................................................. 8 6 The Dynamic View.........................................................................9 6.1 6.2 6.3 Interpreting the Dynamic View ........................................................ 9 Controlling Updates....................................................................... 10 Sorting........................................................................................... 10 7 8 DNS Name Resolution ................................................................11 Filtering and Highlighting...........................................................12 8.1 8.2 8.3 Include and Exclude Filters ........................................................... 13 Dynamic Filters ............................................................................. 14 Highlight Filters ............................................................................. 15 9 Searching.....................................................................................16 10 Saving and Printing.....................................................................17 11 Using the Clipboard ....................................................................18 12 Customizing the Font..................................................................19 Winternals Software Page i TCPView Professional User's Guide 13 Customzing Toolbars and Menus ..............................................20 13.1 13.2 13.3 13.4 Creating and Deleting Toolbars .................................................... 21 Deleting and Rearranging Toolbar Items ...................................... 21 Adding Items to a Toolbar ............................................................. 22 Controlling Menu Behavior............................................................ 22 14 Using TCPVStat ...........................................................................23 15 Frequently Asked Questions......................................................24 16 Sales.............................................................................................26 17 Technical Support .......................................................................27 Winternals Software Page ii TCPView Professional User's Guide 1 Introduction Welcome to TCPView Professional. TCPView Professional allows you to monitor TCP/IP network activity on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows 9x systems. Unlike builtin TCP/IP monitoring tools that come with Windows (such as netstat), TCPView Professional shows you which process is associated with each TCP/IP address, making it easy to determine what application is responsible for specific connections and activity. TCPView Professional also lets you see TCP/IP activity by process in real-time, a feature not available with any other utility. These features make TCPView Professional a uniquely powerful tool for networking and application troubleshooting. TCPView Professional also lets you see the amount of data sent and received over a network connection, which makes it a useful tool for performance diagnostics. Finally, TCPView Professional offers a range of configuration options that let you auto-refresh its display, save output to a file, and filter and highlight entries by process, IP address, or port. TCPView Professional's capabilities let you: · · Determine which process has an address opened See what remote network addresses suspicious applications are accessing Obtain detailed statistics on the amount of data sent and received over a connection Watch an application's TCP/IP activity in real-time Save TCP/IP activity logs and connection information to file Filter the data captured so that you only see accesses performed by a specific process, or that involve particular local or remote addresses · · · · Winternals Software Page 1 TCPView Professional User's Guide 2 Requirements TCPView Professional runs on the following operating systems: · · · · · · · · Windows 95 Windows 95 OSR2 Windows 98 Windows 98 Second Edition Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003 If you run TCPView Professional on Windows 95 you will need the following: · COMCTL32.DLL version 4.7 or higher. You can obtain such a version with either Internet Explorer 4.0 or Internet Explorer 5.0, available for free download from the Microsoft web site. The Windows 95 WinSock 2 Update. This is also available for download from Microsoft web site. · Winternals Software Page 2 TCPView Professional User's Guide 3 Overview of TCP/IP TCP/IP actually consists of three protocols: TCP (Transmission Control Protocol), UDP (Unreliable Datagram Protocol) and IP (Internet Protocol). UDP and TCP use IP as their foundation. This section provides a brief (and simplified) description of TCP and UDP. 3.1 TCP TCP offers connect-oriented, reliable communications. A TCP session is initiated by a process allocating a TCP endpoint (object) and assigning it an IP address and port number. The IP address of course must be one local to the computer. Local IP addresses can be specified in three different ways: · · · as 0.0.0.0 as 127.0.0.1 or as an IP address assigned to the computer (e.g. 209.233.4.14) A process can either explicitly specify a port number or let the TCP/IP stack assign one for it. A process typically specifies a port number if it provides a service that has a defined port number associated with it. For example, a web server uses port 80 because that port number is defined as being the http port, and internet browsers by default attempt connections to that port number. After assigning an address/port-pair the process can either initiate a connection to a remote endpoint or wait for incoming connections. An attempt to connect with a remote endpoint is called a connect request, and the process specifies the remote endpoint's address/port-pair. When a process waits for a connection, it listens for incoming connection requests. In order to listen it must define connection endpoints that it can, and if it wishes to establish a connection when a connection request arrives it accepts the connection with another TCP endpoint. Thus, the listen endpoint Winternals Software Page 3 TCPView Professional User's Guide remains in the listen state as long as one or more un-connected connection objects exist for the listen endpoint. A TCP session is terminated when either end of a connection performs a disconnect operation. 3.2 UDP UDP provides for unreliable, connectionless communications. It also allows for broadcast capability. A UDP session is initiated when a process creates a UDP endpoint. As for TCP endpoints, the process can either explicitly assign a port number or let the TCP/IP stack assign one. The address format is the same as for TCP. Since UDP is connectionless, a process does not need to establish a connection before sending or receiving messages - it can immediately begin sending and receiving messages. However, it must specify the address/portpair whenever it sends (the remote address/port-pair is defined by a connection for a TCP send). A UDP session ends when a process closes its UDP endpoint. Winternals Software Page 4 TCPView Professional User's Guide 4 Using TCPView Professional When you launch the GUI tool you are presented with two sub-windows: · · Static View - shows a snapshot of endpoints active on the system Dynamic View - shows real-time TCP/IP activity You can use the tab key to move between views. 4.1 The Static View The top sub-window is the static view. The static view shows you a snapshot of the existing TCP/IP endpoints on the system. For example, if a program opens UDP port 3200 and specifies local IP address 0.0.0.0, you will see a line in the static view with the name of the process, UDP as the protocol, and "0.0.0.0:3200" as the local address. The remote address will be listed as "*.*" since the UDP protocol does not support connections. The static view also shows the number of messages and bytes sent and received in the sent and received columns. The number of messages and bytes transferred are separated with a forward slash. 4.2 The Dynamic View The dynamic view presents a real-time view of the TCP/IP activity on the system. Each line represents a different event and the information that TCPView Professional shows for the event includes the event type (send, disconnect, etc.) the time of the event, the event's status, the local and (if applicable) remote address/port-pairs of the endpoint on which the event took place, and the number of bytes sent or received. Winternals Software Page 5 TCPView Professional User's Guide 5 5.1 The Static View Interpreting the Output The following screen demonstrates the different types of entries you may see in the static view: The columns are defined as follows: · · · Process: the name of the process that owns the endpoint. Protocol: the protocol of the endpoint, either UDP or TCP. Local Address: the local IP address/port-pair of the endpoint. If DNS name resolution is toggled on then the address is shown by name, otherwise it is shown numerically. Remote Address: the remote IP address/port-pair of the endpoint, if applicable. Only TCP endpoints can have this field defined with an address. UDP endpoints show "*.*" and TCP endpoints that are not connected show "LISTENING" Sent: the number of messages and bytes sent on an endpoint. The number of messages are shown first, with a slash separating the two numbers. Received: the number of messages and bytes received on an endpoint. The number of messages are shown first, with a slash separating the two numbers. · · · The first two lines in the sample screen are UDP endpoints, which is the reason that the remote address for these endpoints is shown as "*.*; UDP Winternals Software Page 6 TCPView Professional User's Guide endpoints are connectionless, so they are not associated with any particular remote address. Note that process services.exe (the Windows NT/Windows 2000 Service Control Manager) has sent 1688 messages totalling 91877 bytes over UDP endpoint DUAL:nbname. The next four entries are connected TCP endpoints. For instance, process RPSS (the Remote Procedure Call Subsystem) has TCP endpoint DUAL:1026 connected to endpoint DUAL:1025. Finally, the last line is a TCP endpoint that is not connected. Instead, it is in the listening state, where the process is waiting for incoming connection requests from remote addresses. 5.2 Showing Only Connected Endpoints TCPView Professional shows all endpoints, including UDP, TCP connected endpoints, and TCP unconnected endpoints. However, you can toggle the show all endpoints button , or the Options|Show All menu entry, to have TCPView Professional only show connected TCP endpoints. TCPView Professional's default behavior corresponds to the Windows netstat command's -a option. 5.3 Controlling the Refresh Rate By default TCPView Professional refreshes the contents of the static view once every second. To change the refresh rate use the Configure|Refresh Rate menu entry. Winternals Software Page 7 TCPView Professional User's Guide To completely disable refreshing, you can either set the refresh rate to 0, or you can press the Freeze button: . While the refresh is frozen you can . manually refresh the static view with the Refresh button 5.4 Sorting You can sort the static view by any column by clicking on the column header. To reverse the order of a column sort, click on the column a second time. Winternals Software Page 8 TCPView Professional User's Guide 6 6.1 The Dynamic View Interpreting the Dynamic View The following screen shows an example of the kind of activity you will see in the dynamic view: The columns are defined as follows: · · · · · Seq: the sequence number of the event. Process: the name of the process that owns the endpoint. Action: the event type. This can be CONNECT, DISCONNECT, SEND, RECEIVE, ACCEPT, or LISTEN. Protocol: this shows the protocol of the endpoint, either UDP or TCP. Local Address: shows the local IP address/port-pair of the endpoint. If DNS name resolution is toggled on then the address is shown by name, otherwise it is shown numerically. Remote Address: shows the remote IP address/port-pair of the endpoint, if applicable. Only TCP endpoints can have this field defined with an address. UDP endpoints show "*.*" and TCP endpoints that are not connected show "LISTENING". Status: either SUCCESS or ERROR Bytes: the number of bytes sent or received. This field is only defined for SEND and RECEIVE events. · · · The first line in the sample screen shows an Internet Explorer (IE) process, which has created the TCP endpoint having the local address DUAL:1243, connecting to the remote address mail.webserve.winternals.com:http. IE then sends two 1-byte messages from UDP port 1235 to the same port (loop- Winternals Software Page 9 TCPView Professional User's Guide back). Activity continues with it receiving a 178-byte message on the TCP connection it established with the web server and then sending a 354-byte message back to the server. 6.2 Controlling Updates You can control the dynamic view in several ways. First, you can limit the depth of the display, or the number of records it retains, by setting the history depth with the Configure|History Depth menu entry. You can stop dynamic view from capturing activity by raising the capture button on the toolbar or the Options menu. To clear the dynamic display, or select the Edit|Clear All menu item. press the clear toolbar button By default, the dynamic view scrolls so that it always shows the most recent event. To disable auto-scrolling, raise the Autoscroll button the Options|Autoscroll menu item. , or de-select 6.3 Sorting You can sort the static view by any column by clicking on the column header. To reverse the order of a column sort, click on the column a second time. Winternals Software Page 10 TCPView Professional User's Guide 7 DNS Name Resolution By default TCPView Professional does not resolve IP addresses to their names or port numbers to their descriptive text. For example, if www.winternals.com has the IP address 10.0.0.1, TCPView Professional will show the numeric representation. Well-defined port numbers have descriptive names; for instance, port 80 is the http port. TCPView Professional has an internal table for translating many port numbers to their names. Select the resolve addresses button or the Options|Resolve Addresses menu entry to toggle name resolution. When name resolution is enabled TCPView Professional performs IP address name lookup operations in the background, updating the static and dynamic views as translations complete. In many cases IP addresses do not have corresponding names, and so are always shown numerically. If a name lookup fails for some reason, TCPView Professional re-attempts the lookup ten seconds later if the address is referenced by new entries in the static or dynamic views, or if you toggle name resolution off and then on again. Tip: You can quickly see what IP address corresponds to the name shown in an entry or vice versa by selecting the entry and then toggling name resolution with the Ctrl+R hotkey sequence. Winternals Software Page 11 TCPView Professional User's Guide 8 Filtering and Highlighting TCPView Professional offers several powerful filtering options so that you can narrow the output down what interests you. You can access the filtering dialog using the filter button entry. The dialog presents three tabs: · · · or the Configure|Filter/Highlight menu Filter Dynamic Filters Highlight Winternals Software Page 12 TCPView Professional User's Guide 8.1 Include and Exclude Filters The Filter tab of the filter dialog presents edit windows that let you configure include and exclude filters. Only entries that match the include filter, but that are not excluded with the exclude filter, are shown in the static and dynamic views. Filters are interpreted in a case-insensitive manner and match any part of the text of any of an entry's columns. For example, if you specify and exclude filter of "1", then any entry with "1" in any of its columns will not be displayed. You can enter more than one include or exclude filter by separating the entries with semicolons. The screen above shows an include filter that specifies that only entries with the text "svchost" or "inetinfo" will be displayed. Since such text only appears in the static and dynamic view process columns, this filter effectively narrows the output to only show activity performed by and endpoints owned by processes named inetinfo and svchost. Winternals Software Page 13 TCPView Professional User's Guide 8.2 Dynamic Filters You can specify what types of events are displayed in the dynamic view using the Dynamic Filters tab of the Filter/Highlight dialog. Specify what status values are shown using the Show Success and Show Error check-boxes. Deselecting one means that events with a status of that type are not shown. Deselecting both options results in the dynamic view not showing any activity, since entries are either of type success or error. The Dynamic Events to Monitor combo-box shows a complete list of the event types entries are categorized by. Deselecting an event type has the dynamic view not capture events of that type. Winternals Software Page 14 TCPView Professional User's Guide 8.3 filters. Highlight Filters The Highlight tab of the Filter/Highlight dialog lets you specify highlighting Filter highlights work like include and exclude filters, except that if an entry has a match in any of its columns with a highlight filter, the entry is shown in the highlight colors, which are also configurable in the Highlight tab of the filter dialog. As for include and exclude filters, you can specify multiple highlight filters by separating them with semicolons. Note that the same highlight color applies to all highlight filters. Winternals Software Page 15 TCPView Professional User's Guide 9 Searching or selecting the You can search the output of the static or dynamic views by using the Find dialog, which is accessible by clicking on the find button Edit|Find menu entry. The search starts on the item selected and a search operation is restricted to the view in which it starts (static or dynamic). When you are in search mode selected items are displayed in red, and if necessary the display scrolls to make visible an item found by a search. Winternals Software Page 16 TCPView Professional User's Guide 10 Saving and Printing You can save or print the contents of the static or dynamic view with the print or save buttons, or by selecting the Save, Save As, Print, and Print Setup menu entries located in the File menu. You can only save or print the contents of one view at a time. To select which view will be saved or printed, move the focus to the view by tabbing to the view, or clicking on an item in the view. Winternals Software Page 17