pe, ports, tasks and my little brain

[twomile]

Dear Brainy Ones,

First, thanks for any help, in advance, and excuse my ignorance. I’m getting a VERY small idea of what I’m doing, but I’ve still got a LONG LONG way to go …. so many things to learn, so little time! System is XP home SP2.

First an easy one ….. are “sockets” and “ports” identical?

Now to the fun bit ... I got PE up and running OK, that wasn't too hard. Then I re-booted to see what my pc "at rest” looked like, but I noticed some strange things like......

1. PE listed lsass twice as pid 624, once on UDP 500 and once on UDP 4500. So why 2 ports for one process? … I thought one process = one port.

2. But …. when I right clicked onto “What is lsass 624?” it said it had FOUR sockets open, not just the two listed on the screenshot. Why?

3. Svchost appeared 4 times (PID 880 TCP 135 - PID 940 UDP 123 - PID 940 UDP 1029 - PID 1100 UDP 1900)... OK, this is probably not unusual, but same deal as above ......... right clicking on svchost pid 880 TCP 135 it says it had two sockets open, but only one was listed on the screenshot.

4. Tried to get more info on the svchosts by typing tasklist in “run … start” but it doesn’t work .. it can’t find the tasklist file. Maybe because the operating system isn’t in English?

5. Then I noticed Task manager showed not 4 but SIX svchosts running … seems a lot. Why don’t they show on PE (maybe because they aren’t using ports?), and why is one of them 19meg and the others around 3-4 meg?

Hope someone can help me with these (probably dumb) questions. Oh, and I got plenty more where they came from!!!!!

cheers

twomile

[Jooske]

Hi there Twomiles and welcome to the forum!

You probably noticed only the ports with outside internet access are displayed?
svchost can be anything, scanners, other applications, etc.
A socket is shown when using a port, a process can have several sockets open. UDP and TCP. You'll notice lots of times if you have the netstat sockets showing a TCP port has an UDP port of the same numer.
(netstat might show as *system)
Which tasklist file you mean? The file log?
Which language is your system?

If you want to see what is happening on a socket of process you could enable the socket spy and see what data traffic goes there. Don't leave it on very long time as that thing can grow fast with a busy socket or process!

I think you'll find lots of additional info in the helpfile, which gives lots of interesting background info!

[CrazyM]

Hi twomile

... and welcome to Wilders

Quote:

Originally Posted by twomile

1. PE listed lsass twice as pid 624, once on UDP 500 and once on UDP 4500. So why 2 ports for one process? … I thought one process = one port.

one port = one process would probably be more accurate. A port can only have one process bound to it, but a process can use multiple ports.

Quote:

4. Tried to get more info on the svchosts by typing tasklist in “run … start” but it doesn’t work .. it can’t find the tasklist file. Maybe because the operating system isn’t in English?

Did you try tasklist /svc at the commond prompt?
ie. run > cmd > (then in commond promt) > tasklist /svc

Quote:

5. Then I noticed Task manager showed not 4 but SIX svchosts running … seems a lot. Why don’t they show on PE (maybe because they aren’t using ports?), and why is one of them 19meg and the others around 3-4 meg?

It is not unusual to have many instances of svchost, it is sort of a catchall for a number of processes. Running the above tasklist /svc in the command prompt will show what is running under the various instances. If you cannot get that to work you could try something like Process Explorer from Sysinternals which will show you that and alot more.

Regards,

CrazyM

[twomile]

Thanks Jooske, thanks CrazyM !!!!!

Probably you go crazy hearing the same dumb questions again and again but believe me, having some help is REALLY appreciated.

By tasklist I meant .......... c:\tasklist /svc > ........... but this gives me something like the following message (it's Italian, Jooske) ......... "tasklist" is not recognised as an internal or external command, executable programme or batch file.

But anyway I downloaded Process Explorer instead... wow, works really well .... that's a lot of info there... it'll take me a few minutes to learn it

Already I have learned from Process Explorer why one svchost is so big .... it's got about 20 services running from it!

I'm still not clear what the difference between a port and a socket is!!!!! Does "socket" just mean "port being used"? So in general a file can spawn several processes, each process (pid) can have several ports, and ............. each port can have several sockets open ? ? ?
thanks very much for your help

twomile