Add to collection(s) Add to saved
  1. Business
  2. Management
Uploaded by Work Gal

Winternals TCPVIEW PROFESSIONAL User Manual

advertisement 
TCPView Professional
User’s Guide
Winternals Software LP
3101 Bee Caves Road, Suite 150
Austin, Texas 78746
(512) 330-9130
(512) 330-9131 Fax
www.winternals.com
Copyright © 2003 Winternals Software LP
TCPView Professional
User’s Guide
Table of Contents
1
Introduction ...................................................................................1
2
Requirements ................................................................................2
3
Overview of TCP/IP .......................................................................3
3.1
3.2
4
Using TCPView Professional .......................................................5
4.1
4.2
5
The Static View ............................................................................... 5
The Dynamic View .......................................................................... 5
The Static View ..............................................................................6
5.1
5.2
5.3
5.4
6
TCP ................................................................................................. 3
UDP................................................................................................. 4
Interpreting the Output .................................................................... 6
Showing Only Connected Endpoints............................................... 7
Controlling the Refresh Rate........................................................... 7
Sorting............................................................................................. 8
The Dynamic View.........................................................................9
6.1
6.2
6.3
Interpreting the Dynamic View ........................................................ 9
Controlling Updates....................................................................... 10
Sorting........................................................................................... 10
7
DNS Name Resolution ................................................................11
8
Filtering and Highlighting...........................................................12
8.1
8.2
8.3
9
Include and Exclude Filters ........................................................... 13
Dynamic Filters ............................................................................. 14
Highlight Filters ............................................................................. 15
Searching.....................................................................................16
10 Saving and Printing.....................................................................17
11 Using the Clipboard ....................................................................18
12 Customizing the Font..................................................................19
Winternals Software
Page i
TCPView Professional
User’s Guide
13 Customzing Toolbars and Menus ..............................................20
13.1
13.2
13.3
13.4
Creating and Deleting Toolbars .................................................... 21
Deleting and Rearranging Toolbar Items ...................................... 21
Adding Items to a Toolbar ............................................................. 22
Controlling Menu Behavior............................................................ 22
14 Using TCPVStat ...........................................................................23
15 Frequently Asked Questions......................................................24
16 Sales.............................................................................................26
17 Technical Support .......................................................................27
Winternals Software
Page ii
TCPView Professional
User’s Guide
1
Introduction
Welcome to TCPView Professional. TCPView Professional allows you to
monitor TCP/IP network activity on Windows NT 4.0, Windows 2000,
Windows XP, Windows Server 2003, and Windows 9x systems. Unlike builtin TCP/IP monitoring tools that come with Windows (such as netstat),
TCPView Professional shows you which process is associated with each
TCP/IP address, making it easy to determine what application is responsible
for specific connections and activity. TCPView Professional also lets you see
TCP/IP activity by process in real-time, a feature not available with any other
utility.
These features make TCPView Professional a uniquely powerful tool for
networking and application troubleshooting. TCPView Professional also lets
you see the amount of data sent and received over a network connection,
which makes it a useful tool for performance diagnostics. Finally, TCPView
Professional offers a range of configuration options that let you auto-refresh
its display, save output to a file, and filter and highlight entries by process, IP
address, or port.
TCPView Professional’s capabilities let you:
•
Determine which process has an address opened
•
See what remote network addresses suspicious applications are
accessing
•
Obtain detailed statistics on the amount of data sent and received
over a connection
•
Watch an application's TCP/IP activity in real-time
•
Save TCP/IP activity logs and connection information to file
•
Filter the data captured so that you only see accesses performed by a
specific process, or that involve particular local or remote addresses
Winternals Software
Page 1
TCPView Professional
User’s Guide
2
Requirements
TCPView Professional runs on the following operating systems:
•
Windows 95
•
Windows 95 OSR2
•
Windows 98
•
Windows 98 Second Edition
•
Windows NT 4.0
•
Windows 2000
•
Windows XP
•
Windows Server 2003
If you run TCPView Professional on Windows 95 you will need the following:
•
COMCTL32.DLL version 4.7 or higher. You can obtain such a version
with either Internet Explorer 4.0 or Internet Explorer 5.0, available for
free download from the Microsoft web site.
•
The Windows 95 WinSock 2 Update. This is also available for
download from Microsoft web site.
Winternals Software
Page 2
TCPView Professional
User’s Guide
3
Overview of TCP/IP
TCP/IP actually consists of three protocols: TCP (Transmission Control
Protocol), UDP (Unreliable Datagram Protocol) and IP (Internet Protocol).
UDP and TCP use IP as their foundation. This section provides a brief (and
simplified) description of TCP and UDP.
3.1
TCP
TCP offers connect-oriented, reliable communications. A TCP session is
initiated by a process allocating a TCP endpoint (object) and assigning it an
IP address and port number. The IP address of course must be one local to
the computer. Local IP addresses can be specified in three different ways:
•
as 0.0.0.0
•
as 127.0.0.1
•
or as an IP address assigned to the computer (e.g. 209.233.4.14)
A process can either explicitly specify a port number or let the TCP/IP stack
assign one for it. A process typically specifies a port number if it provides a
service that has a defined port number associated with it. For example, a web
server uses port 80 because that port number is defined as being the http
port, and internet browsers by default attempt connections to that port
number.
After assigning an address/port-pair the process can either initiate a
connection to a remote endpoint or wait for incoming connections. An attempt
to connect with a remote endpoint is called a connect request, and the
process specifies the remote endpoint's address/port-pair.
When a process waits for a connection, it listens for incoming connection
requests. In order to listen it must define connection endpoints that it can, and
if it wishes to establish a connection when a connection request arrives it
accepts the connection with another TCP endpoint. Thus, the listen endpoint
Winternals Software
Page 3
TCPView Professional
User’s Guide
remains in the listen state as long as one or more un-connected connection
objects exist for the listen endpoint.
A TCP session is terminated when either end of a connection performs a
disconnect operation.
3.2
UDP
UDP provides for unreliable, connectionless communications. It also allows
for broadcast capability. A UDP session is initiated when a process creates a
UDP endpoint. As for TCP endpoints, the process can either explicitly assign
a port number or let the TCP/IP stack assign one. The address format is the
same as for TCP.
Since UDP is connectionless, a process does not need to establish a
connection before sending or receiving messages - it can immediately begin
sending and receiving messages. However, it must specify the address/portpair whenever it sends (the remote address/port-pair is defined by a
connection for a TCP send).
A UDP session ends when a process closes its UDP endpoint.
Winternals Software
Page 4
TCPView Professional
User’s Guide
4
Using TCPView Professional
When you launch the GUI tool you are presented with two sub-windows:
•
Static View - shows a snapshot of endpoints active on the system
•
Dynamic View - shows real-time TCP/IP activity
You can use the tab key to move between views.
4.1
The Static View
The top sub-window is the static view. The static view shows you a snapshot
of the existing TCP/IP endpoints on the system. For example, if a program
opens UDP port 3200 and specifies local IP address 0.0.0.0, you will see a
line in the static view with the name of the process, UDP as the protocol, and
"0.0.0.0:3200" as the local address. The remote address will be listed as "*.*"
since the UDP protocol does not support connections. The static view also
shows the number of messages and bytes sent and received in the sent and
received columns. The number of messages and bytes transferred are
separated with a forward slash.
4.2
The Dynamic View
The dynamic view presents a real-time view of the TCP/IP activity on the
system. Each line represents a different event and the information that
TCPView Professional shows for the event includes the event type (send,
disconnect, etc.) the time of the event, the event's status, the local and (if
applicable) remote address/port-pairs of the endpoint on which the event took
place, and the number of bytes sent or received.
Winternals Software
Page 5
TCPView Professional
User’s Guide
5
The Static View
5.1
Interpreting the Output
The following screen demonstrates the different types of entries you may see
in the static view:
The columns are defined as follows:
•
Process: the name of the process that owns the endpoint.
•
Protocol: the protocol of the endpoint, either UDP or TCP.
•
Local Address: the local IP address/port-pair of the endpoint. If DNS
name resolution is toggled on then the address is shown by name,
otherwise it is shown numerically.
•
Remote Address: the remote IP address/port-pair of the endpoint, if
applicable. Only TCP endpoints can have this field defined with an
address. UDP endpoints show "*.*" and TCP endpoints that are not
connected show "LISTENING"
•
Sent: the number of messages and bytes sent on an endpoint. The
number of messages are shown first, with a slash separating the two
numbers.
•
Received: the number of messages and bytes received on an
endpoint. The number of messages are shown first, with a slash
separating the two numbers.
The first two lines in the sample screen are UDP endpoints, which is the
reason that the remote address for these endpoints is shown as "*.*; UDP
Winternals Software
Page 6
TCPView Professional
User’s Guide
endpoints are connectionless, so they are not associated with any particular
remote address. Note that process services.exe (the Windows NT/Windows
2000 Service Control Manager) has sent 1688 messages totalling 91877
bytes over UDP endpoint DUAL:nbname.
The next four entries are connected TCP endpoints. For instance, process
RPSS (the Remote Procedure Call Subsystem) has TCP endpoint
DUAL:1026 connected to endpoint DUAL:1025.
Finally, the last line is a TCP endpoint that is not connected. Instead, it is in
the listening state, where the process is waiting for incoming connection
requests from remote addresses.
5.2
Showing Only Connected Endpoints
TCPView Professional shows all endpoints, including UDP, TCP connected
endpoints, and TCP unconnected endpoints. However, you can toggle the
show all endpoints button
, or the Options|Show All menu entry, to have
TCPView Professional only show connected TCP endpoints. TCPView
Professional's default behavior corresponds to the Windows netstat
command's -a option.
5.3
Controlling the Refresh Rate
By default TCPView Professional refreshes the contents of the static view
once every second. To change the refresh rate use the Configure|Refresh
Rate menu entry.
Winternals Software
Page 7
TCPView Professional
User’s Guide
To completely disable refreshing, you can either set the refresh rate to 0, or
you can press the Freeze button:
. While the refresh is frozen you can
manually refresh the static view with the Refresh button
5.4
.
Sorting
You can sort the static view by any column by clicking on the column header.
To reverse the order of a column sort, click on the column a second time.
Winternals Software
Page 8
TCPView Professional
User’s Guide
6
The Dynamic View
6.1
Interpreting the Dynamic View
The following screen shows an example of the kind of activity you will see in
the dynamic view:
The columns are defined as follows:
•
Seq: the sequence number of the event.
•
Process: the name of the process that owns the endpoint.
•
Action: the event type. This can be CONNECT, DISCONNECT,
SEND, RECEIVE, ACCEPT, or LISTEN.
•
Protocol: this shows the protocol of the endpoint, either UDP or TCP.
•
Local Address: shows the local IP address/port-pair of the endpoint. If
DNS name resolution is toggled on then the address is shown by
name, otherwise it is shown numerically.
•
Remote Address: shows the remote IP address/port-pair of the
endpoint, if applicable. Only TCP endpoints can have this field defined
with an address. UDP endpoints show "*.*" and TCP endpoints that
are not connected show “LISTENING”.
•
Status: either SUCCESS or ERROR
•
Bytes: the number of bytes sent or received. This field is only defined
for SEND and RECEIVE events.
The first line in the sample screen shows an Internet Explorer (IE) process,
which has created the TCP endpoint having the local address DUAL:1243,
connecting to the remote address mail.webserve.winternals.com:http. IE then
sends two 1-byte messages from UDP port 1235 to the same port (loop-
Winternals Software
Page 9
TCPView Professional
User’s Guide
back). Activity continues with it receiving a 178-byte message on the TCP
connection it established with the web server and then sending a 354-byte
message back to the server.
6.2
Controlling Updates
You can control the dynamic view in several ways. First, you can limit the
depth of the display, or the number of records it retains, by setting the history
depth with the Configure|History Depth menu entry.
You can stop dynamic view from capturing activity by raising the capture
button
on the toolbar or the Options menu. To clear the dynamic display,
press the clear toolbar button
or select the Edit|Clear All menu item.
By default, the dynamic view scrolls so that it always shows the most recent
event. To disable auto-scrolling, raise the Autoscroll button
, or de-select
the Options|Autoscroll menu item.
6.3
Sorting
You can sort the static view by any column by clicking on the column header.
To reverse the order of a column sort, click on the column a second time.
Winternals Software
Page 10
TCPView Professional
User’s Guide
7
DNS Name Resolution
By default TCPView Professional does not resolve IP addresses to their
names or port numbers to their descriptive text. For example, if
www.winternals.com has the IP address 10.0.0.1, TCPView Professional will
show the numeric representation. Well-defined port numbers have descriptive
names; for instance, port 80 is the http port. TCPView Professional has an
internal table for translating many port numbers to their names.
Select the resolve addresses button
or the Options|Resolve
Addresses menu entry to toggle name resolution. When name resolution is
enabled TCPView Professional performs IP address name lookup operations
in the background, updating the static and dynamic views as translations
complete. In many cases IP addresses do not have corresponding names,
and so are always shown numerically. If a name lookup fails for some reason,
TCPView Professional re-attempts the lookup ten seconds later if the address
is referenced by new entries in the static or dynamic views, or if you toggle
name resolution off and then on again.
Tip: You can quickly see what IP address corresponds to the name shown in
an entry or vice versa by selecting the entry and then toggling name
resolution with the Ctrl+R hotkey sequence.
Winternals Software
Page 11
TCPView Professional
User’s Guide
8
Filtering and Highlighting
TCPView Professional offers several powerful filtering options so that you can
narrow the output down what interests you. You can access the filtering
dialog using the filter button
or the Configure|Filter/Highlight menu
entry.
The dialog presents three tabs:
•
Filter
•
Dynamic Filters
•
Highlight
Winternals Software
Page 12
Related documents
Q13 Why do manufacturers of network hardware and software follow
Q13 Why do manufacturers of network hardware and software follow
SI110 Spring AY13 Alpha:___________ Name:________________________________
SI110 Spring AY13 Alpha:___________ Name:________________________________
EEL 4781 - Homework 3 Problem 1:
EEL 4781 - Homework 3 Problem 1:
Networked Car Race Game CSE 704 Spring 2011 Pankaj kumar Yadav
Networked Car Race Game CSE 704 Spring 2011 Pankaj kumar Yadav
Download
advertisement