pe, ports, tasks and my little brain

Discussion in 'Port Explorer' started by twomile, Mar 10, 2006.

Thread Status:
Not open for further replies.
  1. twomile

    twomile Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2
    Dear Brainy Ones,

    First, thanks for any help, in advance, and excuse my ignorance. I’m getting a VERY small idea of what I’m doing, but I’ve still got a LONG LONG way to go …. so many things to learn, so little time! System is XP home SP2.

    First an easy one ….. are “sockets” and “ports” identical?

    Now to the fun bit ... I got PE up and running OK, that wasn't too hard. Then I re-booted to see what my pc "at rest” looked like, but I noticed some strange things like......

    1. PE listed lsass twice as pid 624, once on UDP 500 and once on UDP 4500. So why 2 ports for one process? … I thought one process = one port.

    2. But …. when I right clicked onto “What is lsass 624?” it said it had FOUR sockets open, not just the two listed on the screenshot. Why?

    3. Svchost appeared 4 times (PID 880 TCP 135 - PID 940 UDP 123 - PID 940 UDP 1029 - PID 1100 UDP 1900)... OK, this is probably not unusual, but same deal as above ......... right clicking on svchost pid 880 TCP 135 it says it had two sockets open, but only one was listed on the screenshot.

    4. Tried to get more info on the svchosts by typing tasklist in “run … start” but it doesn’t work .. it can’t find the tasklist file. Maybe because the operating system isn’t in English?

    5. Then I noticed Task manager showed not 4 but SIX svchosts running … seems a lot. Why don’t they show on PE (maybe because they aren’t using ports?), and why is one of them 19meg and the others around 3-4 meg?

    Hope someone can help me with these (probably dumb) questions. Oh, and I got plenty more where they came from!!!!! o_O

    cheers

    twomile
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Twomiles and welcome to the forum!

    You probably noticed only the ports with outside internet access are displayed?
    svchost can be anything, scanners, other applications, etc.
    A socket is shown when using a port, a process can have several sockets open. UDP and TCP. You'll notice lots of times if you have the netstat sockets showing a TCP port has an UDP port of the same numer.
    (netstat might show as *system)
    Which tasklist file you mean? The file log?
    Which language is your system?

    If you want to see what is happening on a socket of process you could enable the socket spy and see what data traffic goes there. Don't leave it on very long time as that thing can grow fast with a busy socket or process!

    I think you'll find lots of additional info in the helpfile, which gives lots of interesting background info!
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi twomile

    ... and welcome to Wilders :)

    one port = one process would probably be more accurate. A port can only have one process bound to it, but a process can use multiple ports.

    Did you try tasklist /svc at the commond prompt?
    ie. run > cmd > (then in commond promt) > tasklist /svc

    It is not unusual to have many instances of svchost, it is sort of a catchall for a number of processes. Running the above tasklist /svc in the command prompt will show what is running under the various instances. If you cannot get that to work you could try something like Process Explorer from Sysinternals which will show you that and alot more.

    Regards,

    CrazyM
     
    Last edited: Mar 11, 2006
  4. twomile

    twomile Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2
    Thanks Jooske, thanks CrazyM !!!!!:)

    Probably you go crazy hearing the same dumb questions again and again o_O but believe me, having some help is REALLY appreciated.

    By tasklist I meant .......... c:\tasklist /svc > ........... but this gives me something like the following message (it's Italian, Jooske) ......... "tasklist" is not recognised as an internal or external command, executable programme or batch file.

    But anyway I downloaded Process Explorer instead... wow, works really well .... that's a lot of info there... it'll take me a few minutes to learn it ;)

    Already I have learned from Process Explorer why one svchost is so big .... it's got about 20 services running from it!

    I'm still not clear what the difference between a port and a socket is!!!!! Does "socket" just mean "port being used"? So in general a file can spawn several processes, each process (pid) can have several ports, and ............. each port can have several sockets open ? ? ?
    thanks very much for your help

    twomile
     
Thread Status:
Not open for further replies.