RE: How to find process behind TCP connection ?
- From: "Robert D. Holtz - Lists" <robert.d.holtz@xxxxxxxxx>
- Date: Thu, 28 Sep 2006 11:11:24 -0500
The behavior that you're seeing could be completely normal. Windows does
all kinds of things via port TCP/UDP 139. You would need to attach a
sniffer to dig deeper into the packet payloads in order to determine what's
up.
Here's a list of some of the services that use port 139:
Function Static ports
-------- ------------
Directory Replication UDP:138 TCP:139
Event Viewer TCP:139
File Sharing TCP:139
Logon Sequence UDP:137,138 TCP:139
Pass Through Validation UDP:137,138 TCP:139
Performance Monitor TCP:139
Printing UDP:137,138 TCP:139
Registry Editor TCP:139
Server Manager TCP:139
Trusts UDP:137,138 TCP:139
User Manager TCP:139
WinNT Diagnostics TCP:139
WinNT Secure Channel UDP:137,138 TCP:139
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Buozis, Martynas
Sent: Tuesday, September 26, 2006 3:35 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: How to find process behing TCP connection ?
Hello
I need an advice. I have Windows 2003 server. It occasionally show
strange and suspicious network behavior. I used command "netstat -abov"
and Process explorer tool from Sysinternals to find process behind
connections. I found that it is "System 4" and got stuck. How I can
identify what is behind this "System 4"?
I thought it may be hidden process, but RootkitReveal from Systinternals
did not show anything.
I will be grateful for any ideas how to identify what is behind these
TCP connections from server to many computers!
Thank you in advance.
With best regards
Martynas
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- Follow-Ups:
- RE: How to find process behind TCP connection ?
- From: Buozis, Martynas
- RE: How to find process behind TCP connection ?
- References:
- How to find process behing TCP connection ?
- From: Buozis, Martynas
- How to find process behing TCP connection ?
- Prev by Date: Re: How to find process behing TCP connection ?
- Next by Date: RE: No NetBios share + No Open Port = Safe Win98?
- Previous by thread: Re: How to find process behing TCP connection ?
- Next by thread: RE: How to find process behind TCP connection ?
- Index(es):
