Say you have identified – through Wireshark or other means – that your computer is communicating with a certain IP. If you suspect this might be a rogue process or a virus ‘phoning home’ then you might want to dig a little deeper.
The oldest trick in the book is to use netstat. A post on Techrepublic describes this method in-depth, but I will describe the important elements here. With command below you get a list of all TCP and UDP sockets, and their associated process ID’s:
The image below is courtescy of Techrepublic
Now you can use the process ID (PID) to find the name of the process. The default Windows task manager does not display them, but they are easily enabled through View -> Select Columns. Check the PID box, see the image below.
Of course if you are using Process Explorer (as you should) then the PID’s are at your disposal already. With other tools in the the brilliant Sysinternals suite you can make life even easier. The TCPView tool was specifically built for the problem we are trying to solve:
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and