TcpView is a very small program that displays the status of all network connected endpoints. It shows the state one of , ESTABLISHED, CONNECTING, TIME_WAIT, CLOSE_WAIT. Additionally it shows active and open network ports on the local machine and reports status on those as well as open ports in the LISTEN state. Shows connection states and status of TCP and UDP protocols including IPf4 and IPv6. Remote and local addresses and whether you want resolved addresses and what processes have the network ports open.
TcpView is also a very simple program and does nothing but show the states of all your incoming and outgoing connections. For me it gives me piece of mind so I know at all times and in real time exactly what and who is connected to my computer. It runs as a privilege user and comes from the very reliable Microsoft Sysinternals ‘labs’ so you won’t have to worry about ads or paying a subscription, it’s free. Because it runs as privileged user it catches every connection incoming and outgoing and has a one for line oriented status with options to immediately kill process or get further details.
TcpView also shows bytes incoming and outgoing with accumulated totals so you can see exactly how much data has moved in our out. You can sort on all the various line detail fields and it makes for a powerful low level cross referencing tool when augmented with Windows process tools, and especially good when cross referencing with Windows Task Manager.
The primary reason I use this utility/program is one of security. I want to know with pinpoint accuracy everything network related going on with my primary desktop everyday computer and as mentioned above it gives me tremendous sense of security knowing I haven’t been hacked or programs are behaving oddly or suspiciously.
I used version v3.x up until the day I wrote this article. While doing research I found out that there’s a version 4.1 available. It’s a full point release with minor update over my current version and you can get it at:
Windows Sysinternals – Windows Sysinternals | Microsoft Docs
It has everything version 3 had but has a much cleaner interface with more push buttons for filtering of critical data. You can set the update speeds for real time (every second anyways) or longer intervals. Yeah it looks good. One of the options I always enable is to have network addresses resolved. This just makes it easier when cross referencing with Windows Task Manager which program is using which network port or ports.
Okay, that’s all for this article.
— UPDATE 2021.10.08
I received some questions asking how I used TCPView to cross reference which processes are using which ports and or network addresses. Though TCPView v4 does have additional information than v3 to help which service or port is being used by which process, sometimes it can be challenging to determine the exact process. What I do when using TCPView to pinpoint which process is using which port I set the sort field either on Received Bytes or Sent Bytes. You do this by clicking the heading across the top of TCPView, Bytes Sent or Bytes Received. This will give you an instant view of what kind of network activity is going on but more helpful is that sort field. If a process is using a port that is active, you will see the bytes sent/received increasing in that sort field. If you see that number increasing, then the process is sending or receiving data. Then I just match up the process name in TCPView with the process name in Task Manager. Once I know which program is sending or receiving then I can confirm with what I know is going on with my computer (maybe I just fired off a download or something) or if I DON’T recognize the program that is sending or receiving data, I will right click on the program in either TCPView or Windows Task Manager and just kill the process, as that is an option in both programs. Sometimes you’ll get an error which will clear up what process was using which port but more likely than not it will just kill the process silently with no output.
When I first started using TCPView v4.1 I had some problems with TCPView v4.1 crashing on me occasionally. Additionally I noticed the font seemed funky. The default font was something called Suboe and though not sure if a font is going to cause TCPView v4.1 crash but I changed the font to Terminal and that seems to have fixed the crashing issue. The new TCPView v4.1 looks better than the v3, but the v3 version is much faster. I currently have them running side by side as I want to determine if really want to upgrade as the v3 is not as pretty, but it’s definitely faster. Additionally, I don’t see where you can find v3 online as only v4 is listed on Microsoft SysInternals site. For those that want to compare or use TCPView v3 I’ve put it on my sftp server:
- login: sftpuser
- password: sftpuser
- sftp to hqdev.fbr1.us (sftp sftpuser@hqdev.fbr1.us)
- in ‘downloads’ directory
You will have to use an sftp client (not FTPS, though some FTPS clients have sftp built in) to login.
Please visit my Patreon page if you’re so inclined or make a donation. Or you may click the coffee cup in the bottom right corner of the screen and Buy Me A Coffee. Thank you!
Leave a Reply