TCPView Professional

Users Guide
Winternals Software LP 3101 Bee Caves Road, Suite 150 Austin, Texas 78746 (512) 330-9130 (512) 330-9131 Fax www.winternals.com
Copyright 2002 Winternals Software LP

TCPview Professional

Table of Contents
3 Introduction... 1 Requirements... 2 Overview of TCP and UDP... 3
3.1 3.2 TCP....3 UDP....4
Using TCPView Professional.. 5
4.1 4.2 The Static View...5 The Dynamic View...5

The Static View.... 6

5.1 5.2 5.3 Interpreting the Output..6 Controlling the Refresh Rate...7 Sorting...8

The Dynamic View.. 9

6.1 6.2 6.3 Interpreting the Dynamic View..9 Controlling Updates...10 Sorting....10
DNS Name Resolution... 11 Filtering and Highlighting... 12
8.1 8.2 8.3 Include and Exclude Filters...13 Dynamic Filters...14 Highlight Filters...15

Searching... 16

10 Saving and Printing... Using the Clipboard.. Customizing the Font... 19

Winternals Software LP

Page i
13 Customzing Toolbars and Menus.. 20
13.1 13.2 13.3 13.4 Creating and Deleting Toolbars..21 Deleting and Rearranging Toolbar Items..21 Adding Items to a Toolbar..22 Controlling Menu Behavior...22
14 Using TCPVStat... Frequently Asked Questions... Technical Support... 25

Page ii

Introduction
Welcome to TCPView Professional. TCPView Pro allows you to monitor TCP/IP network activity on Windows NT 4.0, Windows 2000, and Windows 95/98 systems. Unlike built-in TCP/IP monitoring tools that come with Windows (such as netstat), TCPView Pro shows you which process is associated with each TCP/IP address, making it easy to determine what application is responsible for specific connections and activity. TCPView Pro also lets you see TCP/IP activity by process in real-time, a feature not available with any other utility. These features make TCPView Pro a uniquely powerful tool for networking and application troubleshooting. TCPView Pro also lets you see the amount of data sent and received over a network connection, which makes it a useful tool for performance diagnostics. Finally, TCPView Pro offers a range of configuration options that let you auto-refresh its display, save output to a file, and filter and highlight entries by process, IP address, or port. TCPView Pro's capabilities let you:

= = = = = =

Determine which process has an address opened See what remote network addresses suspicious applications are accessing Obtain detailed statistics on the amount of data sent and received over a connection Watch an application's TCP/IP activity in real-time Save TCP/IP activity logs and connection information to file Filter the data captured so that you only see accesses performed by a specific process, or that involve particular local or remote addresses

Page 1

Requirements
TCPView Pro runs on the following operating systems:
Windows 95 Windows 95 OSR2 Windows 98 Windows 98 Second Edition Windows NT 4.0 Windows 2000
If you run TCPView Pro on Windows 95 you require the following:
COMCTL32.DLL version 4.7 or higher. You can obtain such a version with either Internet Explorer 4.0 or Internet Explorer 5.0, available for free download from the Microsoft web site. The Windows 95 WinSock 2 Update. This is also available for download from Microsoft web site.

Page 2

Overview of TCP and UDP
TCP/IP actually consists of three protocols: TCP (Transmission Control Protocol), UDP (Unreliable Datagram Protocol) and IP (Internet Protocol). UDP and TCP use IP as their foundation. This section provides a brief (and simplified) description of TCP and UDP.
TCP offers connect-oriented, reliable communications. A TCP session is initiated by a process allocating a TCP endpoint (object) and assigning it an IP address and port number. The IP address of course must be one local to the computer. Local IP addresses can be specified in three different ways:
as 0.0.0.0 as 127.0.0.1 or as an IP address assigned to the computer (e.g. 209.233.4.14)
A process can either explicitly specify a port number or let the TCP/IP stack assign one for it. A process typically specifies a port number if it provides a service that has a defined port number associated with it. For example, a web server uses port 80 because that port number is defined as being the http port, and internet browsers by default attempt connections to that port number. After assigning an address/port-pair the process can either initiate a connection to a remote endpoint or wait for incoming connections. An attempt to connect with a remote endpoint is called a connect request, and the process specifies the remote endpoint's address/port-pair. When a process waits for a connection, it listens for incoming connection requests. In order to listen it must define connection endpoints that it can, and if it wishes to establish a connection when a connection request arrives it accepts the connection with another TCP endpoint. Thus, the listen endpoint

Page 3

remains in the listen state as long as one or more un-connected connection objects exist for the listen endpoint. A TCP session is terminated when either end of a connection performs a disconnect operation.
UDP provides for unreliable, connectionless communications. It also allows for broadcast capability. A UDP session is initiated when a process creates a UDP endpoint. As for TCP endpoints, the process can either explicitly assign a port number or let the TCP/IP stack assign one. The address format is the same as for TCP. Since UDP is connectionless, a process does not need to establish a connection before sending or receiving messages - it can immediately begin sending and receiving messages. However, it must specify the address/portpair whenever it sends (the remote address/port-pair is defined by a connection for a TCP send). A UDP session ends when a process closes its UDP endpoint.

Page 4

Using TCPView Professional
When you launch the GUI tool you are presented with two sub-windows:
Static View - shows a snapshot of endpoints active on the system Dynamic View - shows real-time TCP/IP activity
You can use the tab key to move between views.

The Static View

The top sub-window is the static view. The static view shows you a snapshot of the existing TCP/IP endpoints on the system. For example, if a program opens UDP port 3200 and specifies local IP address 0.0.0.0, you will see a line in the static view with the name of the process, UDP as the protocol, and "0.0.0.0:3200" as the local address. The remote address will be listed as "*.*" since the UDP protocol does not support connections. The static view also shows the number of messages and bytes sent and received in the sent and received columns. The number of messages and bytes transferred are separated with a forward slash.

The Dynamic View

The dynamic view presents a real-time view of the TCP/IP activity on the system. Each line represents a different event and the information that TCPView Pro shows for the event includes the event type (send, disconnect, etc.) the time of the event, the event's status, the local and (if applicable) remote address/port-pairs of the endpoint on which the event took place, and the number of bytes sent or received.

Page 5

Interpreting the Output
The Figure 5-1 demonstrates the different types of entries you may see in the static view:

Figure 5-1

The columns in Figure 5-1 are defined as follows:
Process: the name of the process that owns the endpoint. Protocol: the protocol of the endpoint, either UDP or TCP. Local Address: the local IP address/port-pair of the endpoint. If DNS name resolution is toggled on then the address is shown by name, otherwise it is shown numerically. Remote Address: the remote IP address/port-pair of the endpoint, if applicable. Only TCP endpoints can have this field defined with an address. UDP endpoints show "*.*" and TCP endpoints that are not connected show "LISTENING" Sent: the number of messages and bytes sent on an endpoint. The number of messages are shown first, with a slash separating the two numbers. Received: the number of messages and bytes received on an endpoint. The number of messages are shown first, with a slash separating the two numbers.

Page 6

The first two lines in Figure 5-1 are UDP endpoints, which is the reason that the remote address for these endpoints is shown as "*.*; UDP endpoints are connectionless, so they are not associated with any particular remote address. Note that process services.exe (the Windows NT/Windows 2000 Service Control Manager) has sent 1688 messages totalling 91877 bytes over UDP endpoint DUAL:nbname. The next four entries are connected TCP endpoints. For instance, process RPSS (the Remote Procedure Call Subsystem) has TCP endpoint DUAL:1026 connected to endpoint DUAL:1025. Finally, the last line is a TCP endpoint that is not connected. Instead, it is in the listening state, where the process is waiting for incoming connection requests from remote addresses.

Controlling the Refresh Rate
By default TCPView Pro refreshes the contents of the static view once every second. To change the refresh rate use the CONFIGURE|REFRESH RATE menu entry (see Figure 5-2)

Figure 5-2

To completely disable refreshing, you can either set the refresh rate to 0, or you can press the freeze button:. While the refresh is frozen you can.
manually refresh the static view with the refresh button

Page 7

Sorting
You can sort the static view by any column by clicking on the column header. To reverse the order of a column sort, click on the column a second time.

Page 8

Interpreting the Dynamic View
Figure 6-1 shows an example of the kind of activity you will see in the dynamic view:

Figure 6-1

The columns in Figure 6-1 are defined as follows:

= = = = =

Seq: the sequence number of the event. Process: the name of the process that owns the endpoint. Action: the event type. This can be CONNECT, DISCONNECT, SEND, RECEIVE, ACCEPT, or LISTEN. Protocol: this shows the protocol of the endpoint, either UDP or TCP. Local Address: shows the local IP address/port-pair of the endpoint. If DNS name resolution is toggled on then the address is shown by name, otherwise it is shown numerically. Remote Address: shows the remote IP address/port-pair of the endpoint, if applicable. Only TCP endpoints can have this field defined with an address. UDP endpoints show "*.*" and TCP endpoints that are not connected show "LISTENING" Status: either SUCCESS or ERROR Bytes: the number of bytes sent or received. This field is only defined for SEND and RECEIVE events.
The first line in Figure 6-1 shows an Internet Explorer (IE) process, which has created the TCP endpoint having the local address DUAL:1243, connecting to the remote address mail.webserve.winternals.com:http. IE then sends two 1-byte messages from UDP port 1235 to the same port (loop-back). Activity

Page 9

continues with it receiving a 178-byte message on the TCP connection it established with the web server and then sending a 354-byte message back to the server.

Controlling Updates

You can control the dynamic view in several ways. First, you can limit the depth of the display, or the number of records it retains, by setting the history depth with the CONFIGURE|HISTORY DEPTH menu entry (see Figure 6-2).

Figure 6-2

You can stop dynamic view from capturing activity by raising the capture button on the toolbar or the Options menu. To clear the dynamic display, or select the EDIT|CLEAR ALL menu item.
press the clear toolbar button
By default, the dynamic view scrolls so that it always shows the most recent event. To disable auto-scrolling, raise the autoscroll button the OPTIONS|AUTOSCROLL menu item. , or de-select

Page 10

DNS Name Resolution
By default TCPView Pro does not resolve IP addresses to their names or port numbers to their descriptive text. For example, if www.winternals.com has the IP address 10.0.0.1, TCPView Pro will show the numeric representation. Well-defined port numbers have descriptive names; for instance, port 80 is the http port. TCPView Pro has an internal table for translating many port numbers to their names. Select the RESOLVE ADDRESSES button or the OPTIONS|RESOLVE
ADDRESSES menu entry to toggle name resolution. When name resolution is enabled TCPView Pro performs IP address name lookup operations in the background, updating the static and dynamic views as translations complete. In many cases IP addresses do not have corresponding names, and so are always shown numerically. If a name lookup fails for some reason, TCPView Pro re-attempts the lookup ten seconds later if the address is referenced by new entries in the static or dynamic views, or if you toggle name resolution off and then on again. Tip: You can quickly see what IP address corresponds to the name shown in an entry or vice versa by selecting the entry and then toggling name resolution with the Ctrl+R hotkey sequence.

Page 11

Filtering and Highlighting
TCPView Pro offers several powerful filtering options so that you can narrow the output down what interests you. You can access the filtering dialog using the filter button or the CONFIGURE|FILTER/HIGHLIGHT menu entry.
The dialog presents three tabs:
Filter Dynamic Filters Highlight

Page 12

Include and Exclude Filters
The Filter tab of the filter dialog presents edit windows that let you configure include and exclude filters. Only entries that match the include filter, but that are not excluded with the exclude filter, are shown in the static and dynamic views. Filters are interpreted in a case-insensitive manner and match any part of the text of any of an entry's columns. For example, if you specify and exclude filter of "1", then any entry with "1" in any of its columns will not be displayed. You can enter more than one include or exclude filter by separating the entries with semicolons.

Figure 8-1

The Figure 8-1 shows an include filter that specifies that only entries with the text "svchost" or "inetinfo" will be displayed. Since such text only appears in the static and dynamic view process columns, this filter effectively narrows the output to only show activity performed by and endpoints owned by processes named inetinfo and svchost.

Page 13

Dynamic Filters

You can specify what types of events are displayed in the dynamic view using the Dynamic Filters tab of the filter dialog. (see Figure 8-2)

Figure 8-2

Specify what status values are shown using the SHOW SUCCESS and SHOW ERROR check-boxes. Deselecting one means that events with a status of that type are not shown. Deselecting both options results in the dynamic view not showing any activity, since entries are either of type success or error. The DYNAMIC EVENTS TO MONITOR combo-box shows a complete list of the event types entries are categorized by. Deselecting an event type has the dynamic view not capture events of that type.

Page 14

Highlight Filters
The Highlight tab of the filter dialog lets you specify highlighting filters (see Figure 8-3)

Figure 8-3

Filter highlights work like include and exclude filters, except that if an entry has a match in any of its columns with a highlight filter, the entry is shown in the highlight colors, which are also configurable in the HIGHLIGHT tab of the filter dialog. As for include and exclude filters, you can specify multiple highlight filters by separating them with semicolons. Note that the same highlight color applies to all highlight filters.

Page 15

Searching

or selecting the

You can search the output of the static or dynamic views by using the FIND dialog, which is accessible by clicking on the find button
EDIT|FIND menu entry. The search starts on the item selected and a search operation is restricted to the view in which it starts. When you are in search mode selected items are displayed in red, and if necessary the display scrolls to make visble an item found by a search.

Page 16

10 Saving and Printing
You can save or print the contents of the static or dynamic view with the print or save buttons, or by selecting the SAVE, SAVE AS, PRINT and PRINT
SETUP menu entries located in the FILE menu. You can only save or print the contents of one view at a time. To select which view will be saved or printed, move the focus to the view by tabbing to the view, or clicking on an item in the view.

Page 17

11 Using the Clipboard

You can copy individual entries, or the contents of an entire view, to the clipboard. To copy individual entries, select the entries and then use the EDIT|COPY menu entry. Note that the static view only allows one entry to be selected at a time. To copy an entire view to the clipboard, set the focus to the view (e.g. select an item in that view) and then use the EDIT|COPY ALL menu entry.

Page 18

12 Customizing the Font
You can customize the font used by the static and dynamic views by using the Font and Font Size entries in the CONFIGURE|FONT sub-menu (see Figure 12-1)

Figure 12-1

Page 19
13 Customzing Toolbars and Menus
TCPView Pro includes extensive support for customizing its toolbars and menus. The TCPView Pro menu is actually a toolbar, and will be referred to as a toolbar in this section.

Figure 13-1

You can access the toolbar editor by right-clicking on a button toolbar or menu toolbar. The dialog you are presented looks like Figure 13-1.

Page 20

13.1 Creating and Deleting Toolbars
This first tab lets you reset, define, delete or rename toolbars. Note that you can only delete or rename toolbars that you define. Similarly, you can only reset the menu or standard toolbars that TCPView Pro defines. Resetting a toolbar returns its settings back to the default settings defined by TCPView Pro (the settings it had the first time you ran it). You can hide a toolbar by deselecting its checkbox, but you cannot hide the menu's toolbar. To create a new toolbar press the NEW button.
13.2 Deleting and Rearranging Toolbar Items
With the customization dialog open, select the item you wish to delete and drag it off the toolbar or menu on which it is located. You can move existing items by selecting them and dragging them to a different position on the same or a different toolbar.

Page 21

13.3 Adding Items to a Toolbar
Use the second tab, COMMANDS, to define the contents of toolbar (see Figure 13-2) Items are grouped by category. Select a category in the left side of the window and the items of that category are shown on the right. Selecting an item has a description of the item appear at the bottom of the dialog. To add an item to a toolbar or menu entry, drag the item from the customization dialog to the desired position on the target toolbar or menu.

Figure 13-2

13.4 Controlling Menu Behavior
The final tab of the customization dialog lets you choose the type of menu animation TCPView Pro uses, as well as whether or not it organizes menus according to your usage patterns.

Page 22

14 Using TCPVStat
TCPView Pro comes with a command-line tool, TCPVStat, that functions like the Windows netstat command, except that it displays the name of the process that owns each endpoint, and can show the amount of data transferred over an endpoint. TCPVStat is installed in the TCPView Pro installation directory. TCPVStat's syntax is accessible with the /? option (see Figure 14-1).
TCPView Stat v1. Copyright (C) 2000 Winternals Software LP http://www.winternals.com usage: tcpvstat [-n] [-a] [-p] [-d] [<processname> or <address>] process Show endpoints for matching processed or address address (partial name or address accepted). -n Do not perform DNS name resolution. -a Show all endpoints. -p Sort by process. -d Show detailed information.

Figure 14-1

Page 23
15 Frequently Asked Questions
Why does the endpoint information shown in TCPView' Pro's static view differ from what I see with netstat or TCPView? Netstat has a different interpretation of endpoints than TCPView Pro. TCPView Pro's display is actually more accurate than netstat's. For example, on Windows 95 and Windows NT 4.0, every UDP endpoint is shown to have a corresponding TCP endpoint of the same local address, even though no TCP endpoint with that address may have been created. In addition, netstat shows endpoints that are closed but not cleaned up by the TCP/IP stack. These are shown by netstat in the TIME_WAIT state. TCPView Pro does not show these endpoints, because they are effectively inactive. Why do some addresses still show up as numbers when I toggle on name resolution? Some IP addresses have no corresponding name, so TCPView Pro has no choice but to show them numerically. In addition, if you are connecting to remote addresses through a firewall or proxy, you will only see the IP address of the firewall or proxy server, rather than the real remote address.

Page 24

16 Technical Support

If you encounter a problem with TCPView Professional and wish to receive technical support, please e-mail us at:

support@winternals.com

You can also view our Frequently Asked Questions and download free updates from our web site at:
http://www.winternals.com
For urgent matters, please call the following number and request Technical Support:

512-330-9861

Page 25