• TCPView: identify and close open connections on your Windows machine

    18 March 2011 Author: Stefano Prenna
    1 Comment

    Where is connecting your machine? Are all the connections legitimate? Is somebody connecting to your machine? It’s very important to know about the various open TCP and UDP connections as some of them can be the clear indication that some Trojan is using your connection or that maybe somebody is trying to access your system.

     Microsoft Windows is shipped with the command line utility Netstat that is commonly used to list all the connections opened on a machine and troubleshoot them. However its output is an old-style, text only list of connections, so it can be hard to use or clearly understand its content. That’s why the Sysinternals team at Microsoft has created TCPView. This is a free program that shows you a detailed listings of all TCP and UDP endpoints exactly as Netstat would do, but in a clear and easy-to-read graphical interface.

    All the local and remote addresses endpoints and the state of TCP connections is displayed.

     You can download the latest version from http://technet.microsoft.com/en-us/sysinternals/bb897437

     Starting from Windows XP (and moving through Vista, 7 or Server 2008) TCPView also reports the name of the process that owns the connection.

    TCPView

    TCPView

     When you start TCPView it will enumerate all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. You can use a toolbar button or menu item to toggle the display of resolved names (Options -> Resolve Addresses). On Windows XP systems (or higher), TCPView shows the name of the process that owns each endpoint.

    As explained in the brief instructions that come with the application, TCPView updates every second, but you can use the Options -> Refresh Rate menu item to choose a different time (1, 2, 5 seconds or paused).

    Endpoints that change state from one update to the next are highlighted in yellow and those that are deleted are shown in red. New endpoints are shown in green.

    TCPView offers two interesting functions out of the box:

    1. Kill processes
    2. Close connections

    This means that if you can identify some strange process connecting to something strange, you can close this connection and monitor the process to see if it keeps opening the connection again, until you may decide that is the time to kill the process.

    Sometimes it’s good to close a connection, not because it’s a Virus/Trojan that is opening it, but because an application can go to a “Not Responding” state when is waiting for incoming data from a network source that is a not reliable or that is taking too long to answer. If you just close the connection, there is a good chance that the process will be in a “responding” state again and you’ll not lose data as it would happen if you would have closed the process instead.

    When you right click on a process/connection, you’ll see a small menu that will give you the option to Kill the process or Close the connection.

    Another option you can appreciate in the context menu is “Whois”. If you want to have more info on the remote server, click choose this option and TCPView will search on the Internet the Whois information.

    Please note that I’ve noticed that if you are using a Proxy Server or VPN connection, the Whois option is not available. In this case, you’ll have to do the Whois manually, then…

    For troubleshooting purposes you should consider enabling the option”Show Unconnected Endpoints” under the Options menu (or by pressing Ctrl+U). If this option is enabled, you’ll see not only the existing connections, but you’ll be able to see which ports are open on your system. You may discover that something is keeping opened some strange port…

    You can also save TCPView’s output window to a file using the “Save” icon. The output will be a standard TXT file.

    TCPView includes Tcpvcon, a command-line version with the same functionality (basically a more clear to read Netstat with fewer options.

    Tcpvcon usage is similar to that of the built-in Windows netstat utility:

    Usage: tcpvcon [-a] [-c] [-n] [process name or PID]

    -a Show all endpoints (default is to show established TCP connections);
    -c Print output as CSV;
    -n Don’t resolve addresses;
    process Only show endpoints owned by the process specified

    With tcpvcon you cannot kill any process, just see the opened ports/connections. But its default output it’s clearer than netstat. I would recommend to save the output in a text file so you’ll be able to review it easily. You can do so by running in a Dos box the tcpvcon using this syntax:  tcpvcon > filename.txt

    A file called “filename.txt” will be created and you’ll have the connection info available for a later check.

  • Tutorial: troubleshoot and improve Boot Time in Ubuntu Linux with Bootchart

    7 March 2011 Author: Stefano Prenna
    No comment yet

    When you install a fresh copy of any operating system, the boot phase is generally good, mostly because there is any software installed a part from the ones provided with the OS installation itself. But when you start using you computer you will install other software, start playing and tweaking the OS and you will see longer boot times.

    How do you know if there is anything wrong with your boot time?

    First thing to understand is that if you’ve installed any program that does something at startup time, you will have to accept longer boots time, no matter what, but sometimes it’s just a badly written software or after an update that you may notice that something is wrong.

    In order to understand if your system has an issue or not, you will probably need help. And Ubuntu can help you out very well by installing the application Bootchart.

    Open the Ubuntu Software Center or the Synaptic Package Manager and search for “bootchart” (or just type sudo apt-get install bootchart in the terminal window); you will be able to install this very useful piece of software. Obviously you will have to reboot you machine, so the logs will be captured.

    Bootchart is a utility that compiles all the relevant logs when the machine is booting and renders them in a Gantt chart. It has been developed in Java and is basically a script that reads all the info gathered by the bootchartd (boot logger) daemon (it’s launched by the kernel).

    The result is an image showing the boot time on the horizontal axis and all the various processes started during boot on the vertical axis. Please note that you will be able to see dependencies (if a process has launched another one) and different colors to indicate CPU/Disk usage.

    Here you have an example boot chart image:

    Test Bootchart Image

    Test Bootchart Image

    The logs captured and the images generated are saved by default under /var/log/bootchart/

    A good thing to do is to take a snapshot of your system right after has been installed, and then taking snapshots on a regular basis in order to see if there has been an increment in boot time and which processes have caused this. Another good reason to check your boot time is before adding a new hardware or making an important change to your system. By having a snapshot before and after the change you will be easily able to identify any problem and its root cause.

    On the Ubuntu’s Wiki site you can see other users Boot Charts that can be interesting for you to compare with and you can even upload your own.

    It’s important to remember that once you’ve done your tests, it’s recommendable to remove Bootchart from your system, otherwise:

    1. Your /var/log/bootchart/ folder will be filled with Boot charts at every boot.
    2. Your boot will be slightly slower as it has to collect the logs and compile the graph.

    You can obviously remove it from the Software Center or Synaptic or by running sudo apt-get remove bootchart from a terminal console. Please remember to save all the logs you may need and leave the folder /var/log/bootchart clean and tidy!