In addition, the tool comes with a command line version (Tcpvcon) and coexists wonderfully with netstat, the veteran integrated into Windows and other system monitoring toolsBy combining them, you can go from live view to automation in seconds, and if necessary, complete the investigation with packet captures or scans.
What is TCPView and why is it so useful?
TCPView is a free utility from Microsoft Sysinternals for Windows that displays, in real time, all TCP and UDP connection points on the system, with their local and remote addresses, ports, and status (e.g., ESTABLISHED, TIME_WAIT). Its graphical interface makes it very easy to identify at a glance which process owns each socket and, where applicable, the name of the associated service.
Unlike a simple console dump, The view is automatically updated every second by default And you can change that cadence from the options menu if you need more clarity or granularity. It also includes a color system to highlight changes between updates: new connections in green, modifications in yellow, and closures in red, which speeds up reading when things get busy.
An important plus is that TCPView incorporates direct actions on what you viewYou can close TCP connections in an established state from the menu or with a right-click. This is a quick way to cut off unwanted communications while you finish validating security policies.
Download, execution and compatibility
The official download of TCPView is available on Microsoft Sysinternals And the tool is portable, so it doesn't require installation. The package also includes Tcpvcon, a command-line version with equivalent functionality. The binary is currently around 1,5 MB in size, and although it was much smaller in older versions, the concept remains that of a minimal, ready-to-run utility.
If you prefer not to download anything, You can run it directly through Sysinternals Live, ideal when you're in a hurry or working on a computer where you don't want to leave any traces of installers. In terms of compatibility, it covers modern scenarios: Windows 8.1 or later on the client and Windows Server 2012 or later on the server.
As a historical curiosity, The project is led by Mark Russinovich and its documentation has been recently updated. (e.g., April 2023), providing peace of mind regarding maintenance and support from the Sysinternals team.
Interface and Workflow: How to Read the Information
When you open the utility, You will see a list of all active TCP and UDP endpoints.You can toggle whether you want to resolve IP addresses to domain names using a toolbar button or from the menu. This helps when you need readability, and you can revert to numeric IPs when you're interested in forensic accuracy or avoiding DNS latencies.
The main table shows columns for process, protocol, addresses and ports, and status. Sorting by process or port allows you to quickly detect patternsFor example, if a binary opens dozens of outgoing connections to port 25 or 587, it usually smells like spam.
Regarding the soft drink, The default frequency is 1 second, adjustable in OptionsThe color-coded highlighting system will help you detect jittery activity: if you see a lot of green flashing and red flashing, you could be facing aggressive reconnections, scans, or misconfigured services that aren't stabilizing their sessions.
Useful actions: closing sockets and saving evidence
One of the most practical functions is that You can close TCP connections in ESTABLISHED state directly from the interface. Select one or more rows and use the File menu or right-click. This is a temporary shutdown—the application can reopen the socket—but it's valuable for holding back while you adjust firewall rules or stop a process.
Furthermore, You can save the output to a file from the menuThis dump is invaluable when you need to document an incident, correlate it with firewall, IDS, or EDR logs, and share findings with your team. If you're working with a SIEM, consider generating snapshots at different intervals to see the progression.
Permissions and good practices when running
For a complete view, Running TCPView with elevated privileges is highly recommendedWith administrator permissions, you'll see system processes and services that might otherwise be left out. Also, remember to disable name resolution when you want to avoid DNS delays or prevent confusion in environments with internal reverse resolution.
An operational tip: Combine filters, sorts, and pauses when you need to study a specific set.Pausing the refresh for a moment will allow you to calmly review a pattern, copy information, or cross-reference PIDs with Task Manager or your EDR.
Tcpvcon: the console version for automation
Tcpvcon is supplied with the main executable, a command-line utility with the same observability logicIt's ideal for scripts, remote execution, scheduled jobs, or when you're navigating around servers without a graphical interface.
Basic use from Tcpvcon:
tcpvcon Most common parameters:
| Parameter | Function |
|---|---|
| -a | Show all connection points; if you don't use it, you'll mainly see established TCP connections. |
| -c | Print the output in CSV format, perfect for opening in Excel or ingesting into a SIEM. |
| -n | Does not resolve addresses, prints numeric IPs and ports. |
For example, if you suspect a specific process, You can list their activity without resolving names by running something like:
tcpvcon -a -n 784With this combination, you'll see the active connections associated with the PID you're interested in and can correlate them with executable paths, signatures, or process reputation in your tools.
Netstat: When it still makes sense and how to compare it
Netstat is the classic that is always there in Windows. It is still useful for inspecting TCP/UDP connections, listening ports and states., especially if you're moving around servers without a GUI or need something immediate in the console.
Reference commands:
netstat # lista conexiones y puertos con nombres
netstat -n # muestra IPs y puertos en formato numérico
netstat -a # todas las conexiones y puertos en escucha
netstat -b # muestra el ejecutable asociado (requiere admin)The -b switch is especially interesting to see what binary is behind it, but it requires opening the console with administrator privilegesWithout elevation, some process information may not be available. If you need live monitoring with colors, visual filters, and direct action, TCPView can often save you time; if you need console scripting, netstat or Tcpvcon are safe bets.
Real-life audit scenarios with TCPView
A typical case in SMEs: the operator blocks port 25 due to outgoing spam detection. Instead of scanning dozens of computers with antimalware for hours, you launch TCPView on each PC (a one-minute task) and locate the culprit in seconds by viewing multiple simultaneous SMTP connections.
On a machine compromised by a mass-mailing Trojan, You will see constant connections to ports 25 or 587 in many destinationsCompared to a clean machine, where such activity is conspicuously absent, the contrast helps you quickly isolate the affected equipment and prioritize its cleaning or reinstallation.
Another scenario: a Poor port forwarding configuration on the firewall that leaves a server too exposed. The view may show fleeting connections from unknown remote IP addresses with low data volumes. This could be simple internet noise, scans, or failed attempts, but it's a good idea to review it and close the unnecessary exposure.
In Windows domains it is common to see PID 4 (System) activity communicating with domain controllersIt's not inherently malicious: the system and kernel services themselves establish legitimate connections. The key is to correlate times, ports, and protocols with the server's role, verifying that everything matches the deployed roles.
If you have IDS or IPS, Notices will give you additional contextFor example, an alert related to HNAP on Linksys routers associated with campaigns like TheMoon indicates perimeter scans for vulnerabilities. It doesn't imply a compromise of your Windows host, but suggests reviewing the exposure and tightening rules.
Good practices during research
In the event of suspicious activity, Freeze evidence by saving TCPView output and collect firewall, IDS, or EDR logsWith the material in hand, you'll be able to reconstruct what happened and justify corrective actions.
Go through a basic checklist: Check open services with netstat or Tcpvcon and compare them with the expected status, reviews NAT and port forwarding rules, closing unnecessary items, and examines suspicious processes and executable signatures by checking paths and publishers.
If you need to act hot, Cut connections from TCPView to stop exfiltration or spam while you fine-tune the firewall. Remember that this may be a temporary measure, and the process will insist on reconnecting if it's still active and has permissions.
Practical tips with TCPView
When precision and speed are paramount, disable name resolution to avoid DNS latency and work with pure IP addresses. In internal DNS environments, names provide context, but in forensic analysis, numeric addresses reduce ambiguity.
Column sorting is your friend: Sorting by port helps you view service families in bulk, while sorting by process groups activity from the same binary, useful for detecting anomalous behavior in applications that should not open external sockets.
Pay attention to the color code in time: lots of green and red flashing may indicate reconnections or scansIf it coincides with spikes in the firewall or IDS, you'll have a clear thread to pull.
When to save and how to share results
In specific audits and incidents, Saving the output window from the menu is key to share the finding with the team or to attach to a report. If you want comparable series, capture multiple snapshots spaced by minutes to see trends.
For quantitative analysis, Consider using Tcpvcon with the -c switch and schedule periodic executions by outputting to CSV. This format is ideal for Excel, PowerShell scripts, or integration with your SIEM.
Complementary tools for a complete audit
TCPView and Tcpvcon cover the who and now at the process level very well. To expand your field of vision, rely on reference network utilities and essential security software to help you confirm findings and strengthen controls.
TCPDump and WinDump: Console traffic capturers that allow you to dump packets and see what's actually flowing through the network. On Windows, you need WinPcap or Npcap. If you need to install them, Winget makes it easy to manage them.
Nmap: port scanner and service audit. Sends predefined packets to IP ranges to discover hosts, open ports, and services, and even profile the operating system. This is essential for validating the actual exposure surface.
wireshark: protocol analyzer with graphical interface which decapsulates and allows detailed inspection of TCP/UDP conversations. Useful for diagnosing subtle communication problems or studying specific protocols.
Aircrack-ng: Wireless networking suite focused on evaluating the strength of WEP/WPA/WPA2 keys and analyze Wi-Fi traffic. It's useful for reviewing corporate network security and password policies.
Kali Linux: Penetration testing-oriented distribution that brings together dozens of tools, including several of the above. It can be run live from a USB drive or installed, with graphical interfaces for many utilities.
Compatibility, support and maintenance
To recap requirements: Works on Windows 8.1 or higher on the client and Windows Server 2012 or higher on the server, covering the vast majority of current deployments. The ability to run from Sysinternals Live makes it easy to use on managed computers with strict policies.
The fact that The tool comes from the Sysinternals ecosystem and has Mark Russinovich behind it. It provides confidence. Documentation updates ensure continuity and adaptation to platform changes.
Examples and useful combinations
For rapid triage: Open TCPView, disable name resolution, and sort by port. to detect noisy services. If you see massive activity on outgoing mail ports, narrow down the process and close sockets while you investigate.
To automate inventory: use Tcpvcon -a -c in a scheduler and dump to CSV. Process the output with PowerShell to generate alerts when out-of-catalog ports or destinations appear.
To validate exposure: combines Nmap externally with the internal TCPView viewIf Nmap sees an open port and TCPView doesn't show a process listening, check for NAT, firewall rules, or intermediate devices that might be responding.
For in-depth analysis: Correlate unusual connections with captures in Wireshark or WinDumpA few minutes of packets often clear up any doubts about strange protocols and behavior.
TCPView shines in the right balance between instant visibility and immediate actionIts console partner, Tcpvcon, opens the door to scripting and periodic logging, while netstat still delivers when you need something integrated and minimalist. Share this tutorial on how to use TCPView on Windows.