Determining the program that is connecting to specific IP addresses

While troubleshooting a network issue using the free and open source (FOSS) network analyzer Wireshark, I noticed connections to IP addresses that I thought might be associated with adware sites. The connections were occurring from a Microsoft Windows 10 system. I suspected that the connections were occuring via a browser tab that was open to a website within the K-Meleon web browser, but I wanted to confirm that was the case and then, if it was, to attempt to identify the particular tab open in the browser and the web page that was responsible for the traffic, since there were several tabs open in the browser. There were also other browsers open on the system with multiple windows and tabs, so I might also need to check the tabs open in those browsers.

To see all of the connections to websites on the HTTP port, which is the well-known port 80, I can open a command prompt window and use the netstat command netstat -an and then pipe its output into the find command, looking for ":80". The -a option shows all connections and the -n option converts IP addresses and application layer protocols, such as HTTP, to numeric form.

DJI Phantom 3 Drone
C:\WINDOWS\system32>netstat -an | find ":80"
  TCP    192.168.1.20:54069     72.45.50.168:80        ESTABLISHED
  TCP    192.168.1.20:54566     72.45.50.168:80        ESTABLISHED
  TCP    192.168.1.20:54747     152.163.66.131:80      ESTABLISHED
  TCP    192.168.1.20:54759     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:54763     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:54766     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:54769     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:54772     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:54774     152.163.66.131:80      ESTABLISHED
  TCP    192.168.1.20:54775     152.163.66.131:80      TIME_WAIT
  TCP    192.168.1.20:58462     52.44.206.90:80        ESTABLISHED

C:\WINDOWS\system32>

The -n option displays the IP addresses of the systems, but if I want the fully qualified domain name (FDDN) for each system, then I need to replace the -n option with the -f option. Without the -f option, the FQDNs will likely be truncated as shown below:

C:\WINDOWS\system32>netstat -a | find ":http"
  TCP    192.168.1.20:54069     72-45-50-168-static:http  ESTABLISHED
  TCP    192.168.1.20:54566     72-45-50-168-static:http  ESTABLISHED
  TCP    192.168.1.20:54747     adtechus-ads-adtech-mtc-blue-a:http  ESTABLISHED

But with the -f option, I can see the FQDNs, instead of IP addresses, provided that an IP address does have a FQDN associated with it; not all IP addresses will be associated with a FQDN as with the last entry shown in the output below, which is for a connection to a webserver via HTTPS:

C:\WINDOWS\system32>netstat -af | find ":http" 
  TCP    192.168.1.20:54747     adtechus-ads-adtech-mtc-blue-a.evip.aol.com:http  ESTABLISHED
  TCP    192.168.1.20:54986     text-lb.eqiad.wikimedia.org:https  TIME_WAIT
  TCP    192.168.1.20:55007     upload-lb.eqiad.wikimedia.org:https  TIME_WAIT
  TCP    192.168.1.20:55008     upload-lb.eqiad.wikimedia.org:https  TIME_WAIT
  TCP    192.168.1.20:55013     65.55.44.109:https     TIME_WAIT

If I want to know which program running on the system established the connection to the remote web server, I can use the -b option with the netstat command. However, if you attempt to run the netstat command with that option from a regular user command prompt, you will see the message "The requested operation requires elevation." You can run the command from an administrator command prompt window on a Windows 10 system by right-clicking on the Windows Start button and choosing Command Prompt (Admin) - for earlier Windows versions, see Obtaining a command prompt with administrator access under Windows 7.

That will likely show a lot of output lines, even if I drop the -a option, which displays all connections and listening ports, though. E.g.:

Udemy - April2516-25off-sitewide120x600

C:\WINDOWS\system32>netstat -nb

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:5354         127.0.0.1:49701        ESTABLISHED
 [mDNSResponder.exe]
  TCP    127.0.0.1:5354         127.0.0.1:49702        ESTABLISHED
 [mDNSResponder.exe]
  TCP    127.0.0.1:27015        127.0.0.1:49790        ESTABLISHED
 [AppleMobileDeviceService.exe]
  TCP    127.0.0.1:49701        127.0.0.1:5354         ESTABLISHED
 [AppleMobileDeviceService.exe]
  TCP    127.0.0.1:49702        127.0.0.1:5354         ESTABLISHED
 [AppleMobileDeviceService.exe]
  TCP    127.0.0.1:49790        127.0.0.1:27015        ESTABLISHED
 [iTunesHelper.exe]
  TCP    127.0.0.1:50414        127.0.0.1:50415        ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:50415        127.0.0.1:50414        ESTABLISHED
 [firefox.exe]
  TCP    127.0.0.1:55580        127.0.0.1:55581        ESTABLISHED
 [k-meleon.exe]
  TCP    127.0.0.1:55581        127.0.0.1:55580        ESTABLISHED
 [k-meleon.exe]
  TCP    192.168.1.20:135       192.168.1.6:50328      ESTABLISHED
  RpcSs
 [svchost.exe]
  TCP    192.168.1.20:3389      192.168.1.5:53688      ESTABLISHED
  TermService
 [svchost.exe]
  TCP    192.168.1.20:49671     192.168.1.6:50329      ESTABLISHED
 [spoolsv.exe]
  TCP    192.168.1.20:54069     72.45.50.168:80        ESTABLISHED
 [microsoftedgecp.exe]
  TCP    192.168.1.20:54566     72.45.50.168:80        ESTABLISHED
 [microsoftedgecp.exe]
  TCP    192.168.1.20:55672     152.163.66.131:80      ESTABLISHED
 [k-meleon.exe]
  TCP    192.168.1.20:55684     65.55.44.109:443       TIME_WAIT
  TCP    192.168.1.20:55685     65.55.44.108:443       TIME_WAIT
  TCP    192.168.1.20:55692     72.45.50.174:80        TIME_WAIT
  TCP    192.168.1.20:55693     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:55696     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:55699     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:55702     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:55705     8.247.90.236:80        TIME_WAIT
  TCP    192.168.1.20:55706     52.71.69.88:80         ESTABLISHED
 [k-meleon.exe]
  TCP    192.168.1.20:55707     68.67.178.138:80       ESTABLISHED
 [k-meleon.exe]
  TCP    192.168.1.20:55964     34.193.149.177:443     ESTABLISHED
 [k-meleon.exe]
  TCP    192.168.1.20:55965     52.72.45.37:443        ESTABLISHED
 [k-meleon.exe]
  TCP    192.168.1.20:58015     192.168.8.254:22       ESTABLISHED
 [putty.exe]
  TCP    192.168.1.20:58462     52.44.206.90:80        ESTABLISHED
 [k-meleon.exe]
  TCP    192.168.1.20:61789     192.168.1.5:445        ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.20:61918     65.52.108.219:443      ESTABLISHED
 [explorer.exe]
  TCP    192.168.1.20:62214     65.52.108.199:443      ESTABLISHED
  ProfSvc
 [svchost.exe]

 C:\WINDOWS\system32>

The executable file for the program that made the connection is shown on the line below the IP address or addresses. E.g., for the connection shown below, I can see that the application that established the connection to port 80 was the K-Meleon web browser running on the sysem.

  TCP    192.168.1.20:55707     68.67.178.138:80       ESTABLISHED
 [k-meleon.exe]

I could also use the -o option to see the process ID (PID) of the process that owns the connection. E.g.:

C:\WINDOWS\system32>netstat -no | find ":80"
  TCP    192.168.1.20:54069     72.45.50.168:80        ESTABLISHED     11132
  TCP    192.168.1.20:54566     72.45.50.168:80        ESTABLISHED     11132
  TCP    192.168.1.20:55672     152.163.66.131:80      ESTABLISHED     13260
  TCP    192.168.1.20:56182     152.163.66.131:80      TIME_WAIT       0
  TCP    192.168.1.20:56187     151.101.33.108:80      TIME_WAIT       0
  TCP    192.168.1.20:56202     8.247.102.236:80       TIME_WAIT       0
  TCP    192.168.1.20:56205     8.247.102.236:80       TIME_WAIT       0
  TCP    192.168.1.20:56208     8.247.102.236:80       TIME_WAIT       0
  TCP    192.168.1.20:56211     8.247.102.236:80       TIME_WAIT       0
  TCP    192.168.1.20:56215     8.247.90.236:80        TIME_WAIT       0
  TCP    192.168.1.20:56216     54.88.61.13:80         ESTABLISHED     13260
  TCP    192.168.1.20:56217     68.67.178.109:80       ESTABLISHED     13260
  TCP    192.168.1.20:58462     52.44.206.90:80        ESTABLISHED     13260

C:\WINDOWS\system32>

With that output, I would just need to identify the application associated with the process, which I could do through the Windows Task Manager. Or I could use the tasklist command to identify the executable file associated with a particular process ID. E.g.

C:\WINDOWS\system32>tasklist /fi "pid eq 13260"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
k-meleon.exe                 13260 RDP-Tcp#1                  2    902,760 K

C:\WINDOWS\system32

You can also combine the b and o options, e.g., netstat -nob.

Another command line interface (CLI) alternative to running the netstat command in a command prompt window is to open a PowerShell window and use the Get-NetTCPConnection cmdlet. Without any options that will show connections to all ports. To reduce the amount of output, I could use the -AppliedSetting internet option as shown below:

PS C:\> Get-NetTCPConnection -AppliedSetting internet

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
192.168.1.20                        62214     65.52.108.199                       443        Established Internet
192.168.1.20                        61918     65.52.108.219                       443        Established Internet
192.168.1.20                        61789     192.168.1.5                         445        Established Internet
192.168.1.20                        58462     52.44.206.90                        80         Established Internet
192.168.1.20                        58015     198.168.8.254                       22         Established Internet
192.168.1.20                        56530     68.67.180.45                        80         Established Internet
192.168.1.20                        56529     54.88.61.13                         80         Established Internet
192.168.1.20                        56524     65.52.108.11                        443        Established Internet
192.168.1.20                        56523     65.52.108.11                        443        Established Internet
192.168.1.20                        56522     104.28.30.239                       443        Established Internet
192.168.1.20                        56521     104.28.30.239                       443        Established Internet
192.168.1.20                        56520     65.52.108.11                        443        Established Internet
192.168.1.20                        56519     65.52.108.11                        443        Established Internet
192.168.1.20                        56518     173.194.204.155                     443        Established Internet
192.168.1.20                        56517     104.117.15.144                      443        Established Internet
192.168.1.20                        56516     104.117.15.144                      443        Established Internet
192.168.1.20                        56515     31.13.80.36                         443        Established Internet
192.168.1.20                        56514     108.174.10.10                       443        Established Internet
192.168.1.20                        56513     172.217.3.46                        443        Established Internet
192.168.1.20                        56512     104.95.47.13                        443        Established Internet
192.168.1.20                        56511     208.80.154.224                      443        Established Internet
192.168.1.20                        56510     208.80.154.240                      443        Established Internet
192.168.1.20                        56509     208.80.154.224                      443        Established Internet
192.168.1.20                        56401     152.163.66.131                      80         Established Internet
192.168.1.20                        55965     52.72.45.37                         443        Established Internet
192.168.1.20                        55964     34.193.149.177                      443        Established Internet
127.0.0.1                           55581     127.0.0.1                           55580      Established Internet
127.0.0.1                           55580     127.0.0.1                           55581      Established Internet
192.168.1.20                        54566     72.45.50.168                        80         Established Internet
192.168.1.20                        54069     72.45.50.168                        80         Established Internet
127.0.0.1                           50415     127.0.0.1                           50414      Established Internet
127.0.0.1                           50414     127.0.0.1                           50415      Established Internet
127.0.0.1                           49790     127.0.0.1                           27015      Established Internet
127.0.0.1                           49702     127.0.0.1                           5354       Established Internet
127.0.0.1                           49701     127.0.0.1                           5354       Established Internet
192.168.1.20                        49671     192.168.1.6                         50329      Established Internet
127.0.0.1                           27015     127.0.0.1                           49790      Established Internet
127.0.0.1                           5354      127.0.0.1                           49701      Established Internet
127.0.0.1                           5354      127.0.0.1                           49702      Established Internet
192.168.1.20                        3389      192.168.1.5                         53688      Established Internet
192.168.1.20                        135       192.168.1.6                         50328      Established Internet


PS C:\>

But, if I'm only interested in looking at connections to web servers on port 80, I can use the command shown below:

PS C:\> Get-NetTCPConnection -RemotePort 80

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
192.168.1.20                        58462     52.44.206.90                        80         Established Internet
192.168.1.20                        56664     52.71.69.88                         80         Established Internet
192.168.1.20                        56663     8.247.90.236                        80         Established Internet
192.168.1.20                        56662     8.247.90.236                        80         TimeWait
192.168.1.20                        56657     198.41.215.182                      80         Established Internet
192.168.1.20                        56631     8.247.90.236                        80         TimeWait
192.168.1.20                        56630     198.41.215.182                      80         Established Internet
192.168.1.20                        56623     8.247.90.236                        80         TimeWait
192.168.1.20                        56618     8.247.90.236                        80         TimeWait
192.168.1.20                        56616     8.247.90.236                        80         TimeWait
192.168.1.20                        56602     8.247.90.236                        80         TimeWait
192.168.1.20                        56597     8.247.90.236                        80         TimeWait
192.168.1.20                        56401     152.163.66.131                      80         Established Internet
192.168.1.20                        54566     72.45.50.168                        80         Established Internet
192.168.1.20                        54069     72.45.50.168                        80         Established Internet


PS C:\>

If I knew the PID of the K-meleon process associated with k-meleon.exe was 13260, I could specify it or combine it with the -RemotePort parameter as shown below:

PS C:\> Get-NetTCPConnection -OwningProcess 13260

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
0.0.0.0                             58462     0.0.0.0                             0          Bound
0.0.0.0                             56744     0.0.0.0                             0          Bound
0.0.0.0                             56743     0.0.0.0                             0          Bound
0.0.0.0                             56734     0.0.0.0                             0          Bound
0.0.0.0                             56401     0.0.0.0                             0          Bound
0.0.0.0                             55965     0.0.0.0                             0          Bound
0.0.0.0                             55964     0.0.0.0                             0          Bound
0.0.0.0                             55581     0.0.0.0                             0          Bound
192.168.1.20                        58462     52.44.206.90                        80         Established Internet
192.168.1.20                        56744     68.67.178.176                       80         Established Internet
192.168.1.20                        56743     54.88.61.13                         80         Established Internet
192.168.1.20                        56734     152.163.66.131                      80         Established Internet
192.168.1.20                        56401     152.163.66.131                      80         Established Internet
192.168.1.20                        55965     52.72.45.37                         443        Established Internet
192.168.1.20                        55964     34.193.149.177                      443        Established Internet
127.0.0.1                           55581     127.0.0.1                           55580      Established Internet
127.0.0.1                           55580     127.0.0.1                           55581      Established Internet


PS C:\> Get-NetTCPConnection -OwningProcess 13260 -RemotePort 80

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
192.168.1.20                        58462     52.44.206.90                        80         Established Internet
192.168.1.20                        56734     152.163.66.131                      80         Established Internet
192.168.1.20                        56401     152.163.66.131                      80         Established Internet


PS C:\>

If I only wanted the remote IP address displayed, I could add the parameter SELECT RemoteAddress as shown below:

PS C:\> Get-NetTCPConnection -OwningProcess 13260 -RemotePort 80 | SELECT RemoteAddress

RemoteAddress
-------------
52.44.206.90
68.67.180.45
54.88.61.13
8.247.90.236
152.163.66.131
152.163.66.131


PS C:\>

Another way to find only the port 80 (HTTP) connections from a specific PID, in this case PID 13260, is to use the command below:

PS C:\> Get-NetTCPConnection -OwningProcess 13260 | Where-Object RemotePort -eq 80

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
192.168.1.20                        58023     68.67.178.176                       80         Established Internet
192.168.1.20                        58022     52.71.69.88                         80         Established Internet
192.168.1.20                        58004     152.163.66.131                      80         Established Internet
192.168.1.20                        57904     34.192.66.172                       80         Established Internet


PS C:\>

If I want to see both port 80 and port 443 connections for that process, I can modify the command above by specifying a logical or condition.

PS C:\> Get-NetTCPConnection -OwningProcess 13260 | Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)}

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
192.168.1.20                        58004     152.163.66.131                      80         Established Internet
192.168.1.20                        57904     34.192.66.172                       80         Established Internet
192.168.1.20                        55965     52.72.45.37                         443        Established Internet
192.168.1.20                        55964     34.193.149.177                      443        Established Internet


PS C:\>

If I just want to see the remote IP addresses, I can add | SELECT RemoteAddress, i.e., Get-NetTCPConnection -OwningProcess 13260 | Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)} | SELECT RemoteAddress to the end of the line.

PS C:\> Get-NetTCPConnection -OwningProcess 13260 | Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)} | 
SELECT RemoteAddress

RemoteAddress
-------------
152.163.66.131
54.85.221.46
54.208.75.35
52.4.16.223


PS C:\>

If you want to also eliminate the "RemoteAddress" line and the line of dashes that are output before the IP addresses, you can pipe the output into the findstr command and use a logical or operator with the findstr command.

PS C:\> Get-NetTCPConnection -OwningProcess 13260 | Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)} | 
SELECT RemoteAddress | findstr /v "RemoteAddress | ---"

152.163.66.131
54.85.221.46
54.208.75.35
52.4.16.223


PS C:\>

If I want to see a list of all the connections to ports 80 or 443 and just the remote IP address, port number, and process ID, I can use the command shown below. The columns I want displayed are chosen with the SELECT option and are comma-separated.

PS C:\> Get-NetTCPConnection | Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)} | SELECT RemoteAddress,
 RemotePort, OwningProcess

RemoteAddress  RemotePort OwningProcess
-------------  ---------- -------------
8.247.90.236           80             0
8.247.90.236           80             0
8.247.90.236           80             0
8.247.90.236           80             0
8.247.90.236           80             0
172.217.3.46          443          7176
173.194.204.91        443          7176
152.163.66.131         80         13260
54.85.221.46          443         13260
54.208.75.35          443         13260
52.4.16.223            80         13260
65.52.108.199         443          1376
65.52.108.219         443          2120


PS C:\>

I could then use the tasklist command as I did with the command prompt method to determine what executable file is associated with the process identifiers, which I then should be able to associate with an application name.

PS C:\> tasklist /fi "pid eq 7176"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
chrome.exe                    7176 RDP-Tcp#3                  2     46,752 K
PS C:\>

In the above example, I can see that the application associated with PID 7176 is the Google Chrome browser.

References:

  1. Use PowerShell to Identify Port Connections in Windows 8
    By: The Scripting Guys
    Date: August 22, 2012
    Hey, Scripting Guy! Blog
  2. Get-NetTCPConnection
    Microsoft TechNet
  3. PowerTip: Use PowerShell to Find Connections to Remote Servers
    By: The Scripting Guys
    Date: December 13, 2013
    Hey, Scripting Guy! Blog
  4. PowerShell Basics: Comparison Operators and Conditional Logic
    By Tim Ferrill
    Date: December 4, 2014
    Tom's IT Pro