TCPView

Real-Time Network Connection Guardian

Essential ToolBeginner Friendly

Monitors TCP and UDP endpoints in real-time, showing the parent process for each connection. Essential for detecting unauthorized network activity and command & control communications.

Network Monitoring Features

Real-time Tracking

  • Live TCP/UDP endpoint monitoring
  • Process identification for connections
  • Color-coded connection states
  • Address resolution capabilities

Security Features

  • Connection termination controls
  • Suspicious activity highlighting
  • Command-line version available
  • Export capabilities for analysis

Practical Usage Examples

Basic Commands

# Launch TCPView GUI
tcpview.exe
# Command line version - all connections
tcpvcon.exe -a
# Show only established connections
tcpvcon.exe -a -n | findstr ESTABLISHED

Threat Detection Workflow

1. Launch TCPView as Administrator
2. Enable Options → Resolve Addresses
3. Monitor for new connections (highlighted in green)
4. Investigate unknown external IPs
5. Check process names for legitimacy
6. Right-click suspicious connections → End Process
7. Document findings for incident response

Cybersecurity Red Flags

Unknown External IPs

Connections to unexpected countries or suspicious IP addresses

Examples: Tor exit nodes, known C2 servers, recently registered domains

Suspicious Ports

Use of non-standard ports or unusual port combinations

Watch for: Ports 1337, 31337, 4444, 5555 and other hacker favorites

Unusual Processes

System processes making external connections unexpectedly

Red Flags: svchost.exe, winlogon.exe, or csrss.exe with external connections

C2 Communications

Regular, beacon-like connections to the same IP address

Pattern: Connections every 30-60 seconds to the same external host

Quick Info

GUI File:tcpview.exe
CLI File:tcpvcon.exe
Size:~300 KB
Requires Admin:Recommended
Real-time:Yes

Download

Official DownloadSysinternals Live

Related Tools

→ Process Explorer→ Whois (Soon)→ Sysmon

Pro Tips

  • 💡 Enable address resolution for better context
  • 💡 Green = new, Red = closed connections
  • 💡 Use command-line version for scripting
  • 💡 Monitor during malware execution
  • 💡 Document baseline normal connections