UDP port appears to be in use but is not shown in netstat or TCPView

windows networking udp netstat

8,688

Ports 5000 and 5001 are used by Yahoo Messenger. Don't know if both show when you netstat.

Also, 5001 is suspicious - I remember it was used by remote-access trojans. Sorry I have no details.

Have you tried to telnet to your server to port 5001? Is it really listening/in use?

8,688

Yobmod

Updated on September 18, 2022

Comments

Yobmod over 1 year
I've encountered some strange behavior I don't understand. I'm installing software on a Windows 2003 Server. This software needs to bind to a specific UDP port an all TCP addresses in order to listen to requests. I seem to be able to bind to several ports of my choice but not others; specifically I can't bind to the one port I need, which is 5001. Other presumedly free ports like 5002, 5010 also fail. My first guess was "it's in use by another program", but it doesn't show either in netstat or TCPView (from sysinternals), so I'm at a loss about what to do about this. The program is getting socket error 10048 (address already in use).

These are example commands I use to try and find the "offending" program:
```
c:\>netstat -a -v -n -o -p udp

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    512
  UDP    0.0.0.0:1434           *:*                                    1980
  UDP    0.0.0.0:4500           *:*                                    512
  UDP    0.0.0.0:5000           *:*                                    5920
  UDP    0.0.0.0:5500           *:*                                    5288
  UDP    127.0.0.1:123          *:*                                    856
  UDP    127.0.0.1:1314         *:*                                    4376
  UDP    172.20.1.10:123        *:*                                    856
  UDP    172.20.1.10:137        *:*                                    4
  UDP    172.20.1.10:138        *:*                                    4

(No UDP port 5001 is in use!)

Or:

C:\> netstat -an | findstr 5001

(no output)
```
I run all tests using the local Administrator account to no avail. My program is written in C++ (Winsock 2), although I also performed quick tests with a simple VB6 program with the same results. There is no DNS service installed (which is known to reserve ranges of UDP ports).

How can I find the "offending" program, i.e., the program taking the UDP port I need to use?
- Admin over 10 years
  
  in your netstat output, is port 5500 reserved by your app?
- Admin over 10 years
  
  5500 is a port I'm using temporarily while I find out why I can't use 5001. UDP port 5000 is used by another app of mine.
- Admin over 10 years
  
  Have you tried WireShark to see if any program is moving data on that port?
- Admin over 10 years
  
  I haven't seen any traffic on those ports, no. The bottom question remains: how come the port is "taken" but netstat knows nothing about it? Weird!
Spence over 10 years

He's talking about a UDP port. You don't "telnet to" a UDP port.
Yobmod over 10 years

The ports were no longer in use after I rebooted the server. However, I'd still like to know why netstat didn't see the port as in use wilst the program kept getting an "address already in use" error?
Michael Bailey almost 9 years

I'd spitball an application glitch
Michael Bailey almost 9 years

The only major Trojan who's touched 5001 and has been majorly reported on as doing such is "Sockets de Troie", (I've literally never heard of it) you been to France recently? Also, Yahoo Messenger Chat doesn't use 5001 UDP, but Yahoo Voice does. And A LOT of other miscellaneous applications.