Security Basics mailing list archives

RE: RE: How to find process behind TCP connection ?

From: "Robert D. Holtz - Lists" <robert.d.holtz () gmail com>
Date: Thu, 5 Oct 2006 12:59:12 -0500

There are no processes behind the System process ... just many threads.  The
4 is just the Process ID.

This is the core operating system.

For example there are 76 threads running on my machine under System.  By
looking at these threads I can deduce what some of them are doing but not
all of them.

Are you trying to find the thread within System which handles a given
protocol?


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Buozis, Martynas
Sent: Thursday, October 05, 2006 7:04 AM
To: Chesnutt, Lindsey P; security-basics () securityfocus com
Subject: RE: RE: How to find process behing TCP connection ?

Hello

Ok, thanks again everyone who is trying to share experience. But I just
want to remind my original question, which is following:

How I can find real processes behind activity when "netstat -abvo" shows
that it is "System 4" process?

I am sure that every Windows PC would have any connection listed as
owned by "System 4" in "netstat -abvo". So probably you may try to find
what is behind to test offered approach or propose methodology.

I still can't find right solution, while I tested all suggested
approaches....


With best regards
Martynas 
 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Chesnutt, Lindsey P
Sent: Monday, October 02, 2006 10:08 PM
To: security-basics () securityfocus com
Subject: RE: RE: How to find process behing TCP connection ?

The -o works nicely with "tasklist /svc" to find the processes and
services
associated with the process ID.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
Behalf Of deabimakgi () btconnect com
Sent: Sunday, October 01, 2006 8:46 AM
To: security-basics () securityfocus com
Subject: Re: RE: How to find process behing TCP connection ?

Have you tried netstat -anob

 -o            Displays the owning process ID associated with each
connection.

 -b            Displays the executable involved in creating each
connection
or listening port. In some cases well-known executables host multiple
independent components, and in these cases the sequence of components
involved in creating the connection or listening port is displayed. In
this
case the executable
name is in [] at the bottom, on top is the component it called, and so
forth
until TCP/IP was reached. Note that this option             can be
time-consuming and will fail unless you have sufficient permissions.

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Re: How to find process behing TCP connection ? Ansgar -59cobalt- Wiechers (Oct 02)
- <Possible follow-ups>
- Re: RE: How to find process behing TCP connection ? deabimakgi (Oct 02)
  - RE: RE: How to find process behing TCP connection ? Chesnutt, Lindsey P (Oct 03)
    - RE: RE: How to find process behing TCP connection ? Buozis, Martynas (Oct 05)
    - Re: RE: How to find process behing TCP connection ? Colin Copley (Oct 06)
    - Re: RE: How to find process behing TCP connection ? Ansgar -59cobalt- Wiechers (Oct 06)
    - RE: RE: How to find process behind TCP connection ? Robert D. Holtz - Lists (Oct 06)