Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How can I tell what program is making or accepting TCP/IP connections on my machine?

Question:

Another application is listening on my e-mail port 110 and it is restricting
my ipo high speed. How can i find the other application?

I’m not exactly sure what you might mean by “restricting my ipo high speed”,
but it’s very easy to see what TCP/IP ports are in use on your computer.
There’s a command line utility to tell you exactly that, but there’s an easier
to use, and free, tool we can download as well.

Become a Patron of Ask Leo! and go ad-free!

First the command line tool. Open up a Command Prompted (typically on
Start, All Programs,
Accessories) and type “netstat” followed by
Enter, and you’ll see something like this:

Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    NotenBook:1073         localhost:1072         ESTABLISHED
  TCP    NotenBook:1054         aali.hamachi.cc:https  ESTABLISHED
  TCP    NotenBook:1254         cs23.msg.dcn.yahoo.com:5050  ESTABLISHED
  TCP    NotenBook:1257         po-in-f125.google.com:5222  ESTABLISHED
  TCP    NotenBook:1258         by2msg2104610.phx.gbl:1863  ESTABLISHED

This shows you all of your active TCP/IP connections. Each endpoint of each
connection is displayed in the form machinename:port. Add the “-ao”
options and you’ll see something like this:

Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    NotenBook:1073         localhost:1072         ESTABLISHED     1200
  TCP    NotenBook:5354         NotenBook:0            LISTENING       1460
  TCP    NotenBook:8000         NotenBook:0            LISTENING       828
  TCP    NotenBook:1054         aali.hamachi.cc:https  ESTABLISHED     4044
  TCP    NotenBook:1254         cs23.msg.dcn.yahoo.com:5050  ESTABLISHED     2052
  TCP    NotenBook:1257         po-in-f125.google.com:5222  ESTABLISHED     2052
  TCP    NotenBook:1258         by2msg2104610.phx.gbl:1863  ESTABLISHED     2052
  UDP    NotenBook:1025         *:*                                    1460
  UDP    NotenBook:1026         *:*                                    828
  UDP    NotenBook:1029         *:*                                    1764
  UDP    NotenBook:1049         *:*                                    1764

“-a” tells netstat to list all ports in use, even those not actually in a
connection, and “-o” tells it to include the process ID (PID) of the program
that’s accessing the port. You can then use task manager to identify the
process with the given PID to see who’s accessing a particular port.

But there’s an easier way. Download TCPView, a free SysInternals utility now hosted at Microsoft. Run
it and you’ll see something similar to this:

TCPView Default View

“…it’s unusual for an application to be listening on
port 110 on your local machine.”

Here you can see that the application owning the connection is listed
immediately on the left, followed by same machine:port for each end of
each TCP connection. Important: many of the ports will be
listed by name, not number. Port 25, for example, will be listed as “smtp”,
this might confuse you a little if you sort by the Local or Remote Address
column – it’ll sort alphabetically, putting all the numeric ports first,
followed by the named ports.

Click on Options, Show Unconnected
Endpoints
, and the list will expand so show all the TCP/IP ports in
use:

TCPView Showing Unconnected Endpoints

Scan down this list to see who’s using port 110 on your local machine, and
you should have your culprit.

Now, I will say this specifically about port 110: it’s unusual for an
application to be listening on port 110 on your local machine. 110 is the port
on the remote mail server that your mail program connects to. However,
some services that attempt to provide pop3 access to web services such as
Hotmail will do so by providing a pseudo pop3 server through your own machine.
For example on my machine running Thunderbird, I also run the Webmail
extension. This extension causes my own machine to open port 110 through which
Thunderbird connects to access the services provided by the extension.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

5 comments on “How can I tell what program is making or accepting TCP/IP connections on my machine?”

  1. Thanks for the pointer to TCPView — it’s just what I’ve been looking for as well. I’ve known about netstat for years, but that doesn’t tell you who has the port open, just that it’s open.

    As for the “restricting my ipo high speed” comment, perhaps he meant “it’s eating up my bandwidth, limiting what other programs are able to send/receive”? Or perhaps his ISP throttles down the bandwidth because it’s using too much?

    Reply
  2. Hi, I used TCPView and got 2 items Listening,
    then opened netstat and I had 5 items listening.
    Whats up with the difference?

    ps I found out yesterday what TCP was.

    Reply
  3. Thank you for this material but I can’not find here answer to my question
    I’m interested can I seethe IP address of computer which is using my open ports or i ss cutting something from me in LAN or internet

    Reply
  4. Hey i hope this help some people.. like Leo said the TCPview is a good tool tat could help u to know what application is listening in each port here is a command that will give u exaclty the same informaction “netstat -a -b” what does it do? well the first argument -a will show u all the conections and listening ports so now u know which ports u have open then the second argument -b asks for the application that is running in each port so now u have the same information that the TCPview gives u.

    Answering the question for Elshan the ip address is under the remote address sometimes it gives u the name for example it could tell u http://www.hotmail.com so now u can look for the transalation for that ip usign the command nslookup after u execute that comman in the command prompt then u have to insert the name u want to tranlate in this case http://www.hotmail.com and it will give u the ip address of that name.

    Greeting from Mexico

    Reply
  5. Hi,

    Do you know of a utility like tcpview that will show me which programs are using svchost.exe to access a specified IP? TCPview is nice but doesn’t go quite far enough, I have instances of svchost accessing malicious ips and want to find the executable that is launching svchost so I can remove it.

    Thanks

    Craig

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.