Currports, See Which Apps Connect To The Internet
One of the very first posts here at Ghacks was a basic review of Currports. That was in 2005 and a lot has changed since then. Nir Sofer has constantly updated the application, which is now offered as a portable 32-bit and 64-bit program for the Windows operating system.
Currport lists Internet (TCP/IP) connections of all applications and services on the system and open ports. The program lists the data in 2-second intervals by default which you may change in the program options.
You can analyze the data in the CurrPorts interface directly, or export it for analysis in third-party programs like Excel or a plain text editor.
CurrPorts helps users and administrators in several scenarios. Admins may use it to harden a system by closing open listening ports or blocking applications or services from connecting to a network or the Internet.
It reveals if programs connect to the Internet on their own, if malicious software is active on the system, or if processes transfer data to servers without user activity.
The program displays the information right after startup, making it one of the easiest to use programs in this app category.
Tip: Start CurrPorts with elevated privileges to display all information. Some columns, like sent and received bytes, aren't listed if CurrPorts is launched in the user context.
CurrPorts lists process names in the first column and sorts the table in alpha-numerical order. Processes list software programs started by the user, Windows processes and services, and programs that start automatically.
Programs are the easiest to identify, as the name matches at least part of the program name usually. Firefox.exe, or chrome.exe reveal the two browsers Firefox and Chrome directly.
Currports displays lots of information about each connection or open port: the protocol, local and remote ports and IP addresses, process creation date, username under which the process was started on, the window title, sent and received bytes, and more.
The remote address and host name columns display information about remote computer systems. You may use the information to determine which processes connect to remote resources, and may use sent and received bytes or packets listings for that as well.
It is a good precautionary method to fire up Currports regularly to check the open connections of the computer system to ensure that no connections with (possible) malicious intent are open.
Tip: you can integrate NirSoft's IPNetInfo program to look up IP WHOIS information using it to get additional information about connections without leaving CurrPorts.
Currports in addition to that lists all listening ports that are open on the system. Those are usually opened by Windows services, and should only be open if they are needed on the computer.
You may want to disable all services on the system that open ports on the device if the service in question is not required for the operating system to function properly or provide functionality to the user.
The best option is to research the local port name in combination with the operating system to find out which service is responsible for the open port.
The service description then reveals if the service is needed on the system or not. A Windows 7 PC without homegroup or local network connections may not need the Function Discovery Resource Publication and SSDP Discovery services, as those are only used to publish information about the computer, and discover other computers in the network.
It may take a while to go through all the open ports and connections, and find out about them to determine whether they may be closed.
CurrPorts, as tiny as it is, supports lots of features on top of that. You may use the built-in search or filters to display specific processes only. Filters allow you to display one or multiple processes, ports, or other data by filtering out the rest; useful if you need to analyze the activity of a process, port, local or remote address, or other data points.
Filters are very powerful as you may write them directly. Here are some examples:
- include:remote:tcp:80 -- Display only packets with remote TCP port 80
- include:remote:udp:53 -- Display packets with UDP port 53.
- include:process:chrome.exe -- Display only Chrome processes.
- include:remote:tcpudp: 192.168.0.1-192.168.0.100 -- Display only packets that originate from the selected IP range.
You can hide some columns to improve the display of data; right-click on a column header and select choose columns from the menu to get a list of columns.
You may use the program to terminate selected connections or processes using the right-click menu or keyboard shortcuts; handy if you need to fight malware that runs on the system or want to cut connections quickly.
CurrPorts comes with notification options to highlight new open ports to the user; another useful feature but only if you run the program constantly.
Users may enable logging of changes in the program, and export the date that CurrPorts collected to various formats.
CurrPorts can be run from the command line or from within batch files. The full list of available commands is listed on the NirSoft website; here are some examples:
- cports.exe /close * * 192.168.1.10 80 -- Close all connections with remote port 80 and remote address 192.168.1.10
- cports.exeÂ /filter "include:chrome.exe" /shtml "c:\logs\chromeports.html" -- Save all opened TCP/IP ports of Google Chrome as a HTML file.
The main advantage of Currports over comparable solutions, including the netstat command line tool, is the ease of access, and the exporting capabilities. Newer versions of the program can even close one or more connections over the command line.
Currports is one of those small tools that makes the life of a system administrator, computer technician or end user so much easier. The program can be downloaded from the Nirsoft website.Advertisement