netstat with process name?
Solution 1
Solution
Use the -b
parameter:
-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions.
Note The netstat -b
command will fail unless run from an elevated command prompt.
Workaround
Filter the process list and find the PID you're interested in:
tasklist | findstr /c:"PID"
Alternate solution
You can use Tcpvcon.exe
instead. No admin rights required.
Tcpvcon usage is similar to that of the built-in Windows
netstat
utility.
Usage: tcpvcon [-a] [-c] [-n] [process name or PID]
-a Show all endpoints (default is to show established TCP connections).
-c Print output as CSV.
-n Don't resolve addresses.
Solution 2
I think you are looking for TCPView from SysInternals.
Solution 3
Here is an example for windows using FOR
to parse netstat
output then DO
tasklist
with /fi
filter on pid to show process name.
The last find is to remove tasklist
headers.
FOR /F "usebackq tokens=5 delims= " %i IN (`netstat -ano ^|find "443"`) DO @tasklist /fi "pid eq %i" | find "%i"
prints records output like
tomcat8.exe.x64 4240 Services 0 931,864 K
Additional fields from netstat
can be added by adding tokens.
Solution 4
If you're fond of using PS, you can fork this code (note: it's super-basic)
$nets = netstat -ano | select-string LISTENING
foreach($n in $nets){
# make split easier PLUS make it a string instead of a match object:
$p = $n -replace ' +',' '
# make it an array:
$nar = $p.Split(' ')
# pick last item:
$pname = $(Get-Process -id $nar[-1]).ProcessName
$ppath = $(Get-Process -id $nar[-1]).Path
# print the modified line with processname instead of PID:
$n -replace "$($nar[-1])","$($ppath) $($pname)"
}
Note that you can try Path
instead of ProcessName
to get a full executable path - it won't work with system services though. Also, you may want to append the ProcessName
to the end of the line instead of replacing the PID value.
Enjoy it ;)
Solution 5
Try to use this...
Process name with time stamp :) in oneliner... no need scripting fast and easy ...
You can change param SYN_SENT by ESTABLISHED or LISTENING
filter timestamp {"$(Get-Date -Format G): $_"};netstat -abno 1 | Select-String -Context 0,1 -Pattern LISTENING|timestamp
filter timestamp {"$(Get-Date -Format G): $_"};netstat -abno 1 | Select-String -Context 0,1 -Pattern SYN_SENT|timestamp
Related videos on Youtube
Royi Namir
Updated on September 18, 2022Comments
-
Royi Namir over 1 year
Using
netstat -a -o -n
I can get the list of ports and PIDthen I need to go to task manager and add the PID and see who is it. (pretty frustrating)
I was wonder if there is a CMD command which does it all ( using
find
,for
,powershell
)so that I could get the process name
-
barlop almost 8 yearsnetstat -b as admin, e.g. netstat -abon. And the name of the exe is below
-
Nathan B over 2 yearsI dont see the PID when doing your command
-
-
Royi Namir over 10 yearsI was wonder if there is a CMD command which does it all
-
Leptonator over 10 yearsKeep going - There is a command-line component of TCPView..
-
Royi Namir over 10 yearsoh ok. thought maybe someone already done it using for,find etc.
-
Leptonator over 10 yearsIt should not be too hard to do.. I would bet robvanderwoude.com has something on it. Per the TCPView Page - "The TCPView download includes Tcpvcon, a command-line version with the same functionality."
-
Royi Namir over 10 yearsyou're the man.
-
Edward J Beckett almost 9 yearsVery good tool suite.. if it wasn't for msys and sis I'd be using a nix box. :)
-
Leptonator almost 9 yearsHere is another way to approach this. Have a look here - alternativeto.net/software/tcpviews
-
barlop almost 8 yearsgood answer, just commenting that I think it's amusing how the ms /? documentation even says "this option can be time-consuming" ! and it's purely a stupidity of windows that it is time consuming. Linux's netstat does its executable name showing fast. And also linux's executable name showing doesn't require root/admin privileges
-
Yingyu YOU almost 8 yearsPros of this solution including: 1. using
find
to filter out ports (in contrast, althoughnetstat -b
can provide process name directly, but going through its output to search manually is painful and error-prone); 2. using Windows native commands only, that is more flexible and independent. -
Yingyu YOU almost 8 yearsPossible improvement: 1. to use
findstr
with/R
option instead offind
to utilize regex for better searching; 2. to use:443 *[[0-9]"
as the pattern to filter out local port only. The whole command could beFOR /F "usebackq tokens=5 delims= " %i IN (`netstat -ano ^|findstr /R /C:":443 *[[0-9]"`) DO @tasklist /fi "pid eq %i" | findstr "%i"
-
Yves Schelpe over 7 years@DavidPostill or @mark Could you clarify "Additional fields from
netstat
can be added by adding tokens."? -
flolilo over 6 yearsI edited Erik's question to include your fix, so if you wish, you could delete it from your answer and concentrate on your approach with
GetService
andGet-Process
. -
jmn8 over 4 yearsI used this with a pattern on the ip:port I wanted to observe. Great snippet!
-
user754036 almost 4 yearshow to programatically get tcpvcon.exe, in C++. Does it come as a nuget package?
-
Community over 2 yearsYour answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
-
Nathan B over 2 yearsI don't see the -b option in the manual: linux.die.net/man/8/netstat