If you want to see the IP addresses to which a program on a Microsoft Windows
system is establishing connections, you can use the
Resource Monitor utility that is provided with
Windows
Vista and later versions of Windows to check on network connections from
a particular application on the system. To start the program, you can click
on the Windows
Start button and type resmon
or resmon.exe
in the "Search programs and files" field on a Windows 7 system or the
"Type here to search" field on a Windows 10 system. You should see the
resmon utility returned as the best match.
When the Resource Monitor program is running, you can click on the Network tab and then TCP Connections to see network activity associated with programs currently running on the system . You can click on a column header, e.g. "Image" to sort the entries by the values in that column. E.g., in the example below, the entries are sorted on the image name, i.e., by the names of the running processes.
The column headers are as follows:
You can expand or contract the width of a column by clicking on the vertical line dividing it from an adjoining column and dragging the line left or right.
In the above example, I checked for the network connections established by a Norton Internet Security file, nis.exe. The location of the file on the system is shown below:
C:\Program Files\Norton Internet Security\Engine\22.11.2.7>dir nis.exe Volume in drive C has no label. Volume Serial Number is 2DF8-C431 Directory of C:\Program Files\Norton Internet Security\Engine\22.11.2.7 11/10/2017 10:03 PM 288,504 nis.exe 1 File(s) 288,504 bytes 0 Dir(s) 52,797,091,840 bytes free C:\Program Files\Norton Internet Security\Engine\22.11.2.7>
The Resource Monitor display shows the software connected to 152.195.12.171, an IP address assigned to ANS Communications, Inc (ANS) by the American Registry for Internet Numbers (ARIN), on port 80, the well-known port for HTTP connections, and 13.91.60.30 on port 443, the well-known port for HTTPS connections. The latter address is assigned to Microsoft by ARIN. The first address is associated with the fully qualified domain name (FQDN) liveupdate.symantecliveupdate.com, so the connection may represent the Norton antivirus software on the system checking for updates.
C:\>nslookup liveupdate.symantecliveupdate.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: cs964.wpc.chicdn.net Address: 152.195.12.171 Aliases: liveupdate.symantecliveupdate.com symantecliveupdate.5A45F.edgecastdns.net C:\>
You can also find the IP addresses of systems to which an application is
connected from a
command-line interface (CLI), e.g., a
command prompt,
using the
tasklist
and
netstat commands. You can use a tasklist command like the one shown
below to find the
PID of a process and then
pipe the output of netstat -ano
into the
findstr command and have findstr filter on lines containing the PID to view
only network connections for the relevant processes. Options for the three
commands are shown at tasklist,
netstat
and
findstr.
C:\>tasklist /fi "imagename eq nis.exe" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ nis.exe 3336 Services 0 17,700 K nis.exe 604 Console 1 9,780 K C:\>netstat -ano | findstr 3336 TCP 0.0.0.0:49174 0.0.0.0:0 LISTENING 3336 TCP 0.0.0.0:49175 0.0.0.0:0 LISTENING 3336 TCP 192.168.5.10:58034 40.114.95.106:443 ESTABLISHED 3336 TCP [::]:49175 [::]:0 LISTENING 3336 C:\>netstat -ano | findstr 604 C:\>
In the above example, nis.exe has established a connection to a website at 40.114.95.106, another Microsoft IP address. Note that the connections to particular IP addresses will vary depending on when you run the command, just as they vary when viewed with the Resource Monitor program as an application may not be constantly connected to a particular IP address.
Related articles: