lsof -Pni
Occasionally I’ll run across boxes that have been root-kitted and the netstat binary has been replaced. This new binary gives you the same info every time, and is designed to hide many active connections to the box, even your own SSH session! Luckily, it seems that many rootkits neglect to replace lsof so you can use the above snippet to review all Listening and Established connections to the box.
Downside: Need to have root access to run the code
By Bubbagimp February 26, 2008 – 5:29 amIn Vista and XP SP2 you can run “netstat -b” and it will show the process tasociased with the port.In Vista the tricky part is, it requires an elevated command line window. The easiest way to do this I found is to type “cmd” in the search portion of the start menu and hit ctrl-shift-enter to elevate the process. Click continue to confirm the action. You have to do this even if your account is set to Administrator.Have I mentioned I hate Vista?
My default for Windows machines is usually ‘netstat -ano` as it also shows the PID associated with the connection.
But yes, on regular Windows XP, Vista, 7 machines you need to ensure you’re running the cmd prompt as an administrative user. I didn’t know about that ctrl+shift+enter shortcut, thanks for that!