TCPView Professional User’s Guide Winternals Software LP 3101 Bee Caves Road, Suite 150 Austin, Texas 78746 (512) 330-9130 (512) 330-9131 Fax www.winternals.
TCPView Professional User’s Guide Table of Contents 1 Introduction ...................................................................................1 2 Requirements ................................................................................2 3 Overview of TCP/IP .......................................................................3 3.1 3.2 4 Using TCPView Professional .......................................................5 4.1 4.2 5 The Static View .......................................
TCPView Professional User’s Guide 13 Customzing Toolbars and Menus ..............................................20 13.1 13.2 13.3 13.4 Creating and Deleting Toolbars .................................................... 21 Deleting and Rearranging Toolbar Items ...................................... 21 Adding Items to a Toolbar ............................................................. 22 Controlling Menu Behavior............................................................ 22 14 Using TCPVStat .......
TCPView Professional User’s Guide 1 Introduction Welcome to TCPView Professional. TCPView Professional allows you to monitor TCP/IP network activity on Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows 9x systems. Unlike builtin TCP/IP monitoring tools that come with Windows (such as netstat), TCPView Professional shows you which process is associated with each TCP/IP address, making it easy to determine what application is responsible for specific connections and activity.
TCPView Professional User’s Guide 2 Requirements TCPView Professional runs on the following operating systems: • Windows 95 • Windows 95 OSR2 • Windows 98 • Windows 98 Second Edition • Windows NT 4.0 • Windows 2000 • Windows XP • Windows Server 2003 If you run TCPView Professional on Windows 95 you will need the following: • COMCTL32.DLL version 4.7 or higher. You can obtain such a version with either Internet Explorer 4.0 or Internet Explorer 5.
TCPView Professional User’s Guide 3 Overview of TCP/IP TCP/IP actually consists of three protocols: TCP (Transmission Control Protocol), UDP (Unreliable Datagram Protocol) and IP (Internet Protocol). UDP and TCP use IP as their foundation. This section provides a brief (and simplified) description of TCP and UDP. 3.1 TCP TCP offers connect-oriented, reliable communications. A TCP session is initiated by a process allocating a TCP endpoint (object) and assigning it an IP address and port number.
TCPView Professional User’s Guide remains in the listen state as long as one or more un-connected connection objects exist for the listen endpoint. A TCP session is terminated when either end of a connection performs a disconnect operation. 3.2 UDP UDP provides for unreliable, connectionless communications. It also allows for broadcast capability. A UDP session is initiated when a process creates a UDP endpoint.
TCPView Professional User’s Guide 4 Using TCPView Professional When you launch the GUI tool you are presented with two sub-windows: • Static View - shows a snapshot of endpoints active on the system • Dynamic View - shows real-time TCP/IP activity You can use the tab key to move between views. 4.1 The Static View The top sub-window is the static view. The static view shows you a snapshot of the existing TCP/IP endpoints on the system.
TCPView Professional User’s Guide 5 The Static View 5.1 Interpreting the Output The following screen demonstrates the different types of entries you may see in the static view: The columns are defined as follows: • Process: the name of the process that owns the endpoint. • Protocol: the protocol of the endpoint, either UDP or TCP. • Local Address: the local IP address/port-pair of the endpoint.
TCPView Professional User’s Guide endpoints are connectionless, so they are not associated with any particular remote address. Note that process services.exe (the Windows NT/Windows 2000 Service Control Manager) has sent 1688 messages totalling 91877 bytes over UDP endpoint DUAL:nbname. The next four entries are connected TCP endpoints. For instance, process RPSS (the Remote Procedure Call Subsystem) has TCP endpoint DUAL:1026 connected to endpoint DUAL:1025.
TCPView Professional User’s Guide To completely disable refreshing, you can either set the refresh rate to 0, or you can press the Freeze button: . While the refresh is frozen you can manually refresh the static view with the Refresh button 5.4 . Sorting You can sort the static view by any column by clicking on the column header. To reverse the order of a column sort, click on the column a second time.
TCPView Professional User’s Guide 6 The Dynamic View 6.1 Interpreting the Dynamic View The following screen shows an example of the kind of activity you will see in the dynamic view: The columns are defined as follows: • Seq: the sequence number of the event. • Process: the name of the process that owns the endpoint. • Action: the event type. This can be CONNECT, DISCONNECT, SEND, RECEIVE, ACCEPT, or LISTEN. • Protocol: this shows the protocol of the endpoint, either UDP or TCP.
TCPView Professional User’s Guide back). Activity continues with it receiving a 178-byte message on the TCP connection it established with the web server and then sending a 354-byte message back to the server. 6.2 Controlling Updates You can control the dynamic view in several ways. First, you can limit the depth of the display, or the number of records it retains, by setting the history depth with the Configure|History Depth menu entry.
TCPView Professional User’s Guide 7 DNS Name Resolution By default TCPView Professional does not resolve IP addresses to their names or port numbers to their descriptive text. For example, if www.winternals.com has the IP address 10.0.0.1, TCPView Professional will show the numeric representation. Well-defined port numbers have descriptive names; for instance, port 80 is the http port. TCPView Professional has an internal table for translating many port numbers to their names.
TCPView Professional User’s Guide 8 Filtering and Highlighting TCPView Professional offers several powerful filtering options so that you can narrow the output down what interests you. You can access the filtering dialog using the filter button or the Configure|Filter/Highlight menu entry.
