Socket Data Overview

Port Explorer can provide a lot of information about a socket, from everything that netstat is able to determine (protocol, local address, local port, remote address, remote port, socket status) to more advanced information (process, process ID, creation timestamp, and Sent/Received byte and packet counts. In most cases, Port Explorer is able to determine the owner process of a port (that is, it is able to map the port back to its parent process). It builds a table of all such ports that it is able to map, and then builds a second table, this time just using the same information that is retrieved by the netstat program. Finally, the two tables are combined, and Port Explorer then fills the socket data list with the combined table. (Exception - if Hide Netstat Sockets is turned on in the Settings menu, the netstat sockets will not be added to the combined table). The combined table is automatically filtered by Port Explorer so that there are no double-ups (i.e. if a socket appears in the first table, it won't be added to the second table). This whole process is usually done by Port Explorer in the blink of an eye, which allows you to choose Display Refresh rates as fast as 1 second.

You may see something like this:

So what does all of this mean? If you're a beginning user, please don't be discouraged if you don't immediately understand this information. It may initially look daunting ("what do all these numbers mean?!"), but it is actually very simple, and with a little patience and reading you'll soon master this information.

Lets compare the two lines. As you can see, compared to the second line (the --NETSTAT-- one) we can see that the first line has been successfully mapped by Port Explorer as all fields have been filled in. This information is from the first table Port Explorer builds. The second line is missing some data, such as Creation timestamp, process, process ID, and Sent/Received counts. This information is from the second table Port Explorer builds. What we are seeing is the combined table - in this case, one socket from each table.

Now lets examine the first line more closely. As we can see, d:\winnt\system32\telnet.exe is the process or program that is using this socket. We can see that its Process ID is 608, and if we're using Windows NT, 2000, or XP, we can press Ctrl+Alt+Delete on our keyboard to select Task Manager, which will also confirm that process 608 is used by telnet.exe. We can see that the socket was created at 11:53am (24-hour time format) on the 1st of October, 2002 (day-month-year format). We can see that the protocol is TCP (which is a connection-based protocol, as opposed to the connectionless UDP protocol - see the Glossary of Terms for more information). The local address is the address of our computer, and the local port is the port number being used by our computer. The remote address is the address of the computer that we are connected to, and the remote port is the port number they are using. The status says ESTABLISHED, so we know that the connection is currently alive and established. The TIME_WAIT status is explained in the Glossary of Terms. We can see that there has been 0 packets (and consequently 0 bytes) sent by the socket, but it has received 1 packet and a total of 100 bytes.

By right-clicking on the socket and selecting 'What is Remote Port 25?', we'll see that port 25 has two uses - SMTP, and remote access trojans (and quite a few of them!). SMTP, or Simple Mail Transfer Protocol, is a protocol mail servers use to receive and send mail. We can now assume that telnet.exe has simply connected to an SMTP mail server, and the mail server has sent back 1 packet that contains 100 bytes of information - usually a greeting indicating what sort of mail server it is and/or what protocol it uses.

By right-clicking on the socket and selecting 'What is telnet.exe (608)?', we'll see the Properties dialog appear with General, Version, Security, and Summary information. The timestamps in the General tab are particularly interesting - the Accessed timestamp is usually the time the process was started. The Created timestamp allows you to see when the file was created on your system (which, in the case of telnet.exe, should be the same time that you installed the operating system). The Version tab allows us to see version/copyright information embedded in the executable.

Now lets examine the second line. The process is specified as '--NETSTAT--' because it is one of the few ports that Port Explorer was unable to map back to its parent process. For this reason its Process ID is 0, and it has no creation date. The Sent/Received counts are also unable to be determined, but all other information is available, exactly as it would be seen in netstat.

That's all there is to it!



Copyright ⌐ 2002-2003 Diamond Computer Systems Pty. Ltd. - http://www.diamondcs.com.au
DiamondCS Port Explorer Website - http://www.diamondcs.com.au/portexplorer