OSTU - CurrPorts QuickStart (by Tony Fortunato & Peter Ciuffreda)

1,944 views

Published on

Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts.

Published in: Technology, Business
4 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total views
1,944
On SlideShare
0
From Embeds
0
Number of Embeds
234
Actions
Shares
0
Downloads
7
Comments
4
Likes
1
Embeds 0
No embeds

No notes for slide
  • Hello , It’s Tony Fortunato And Peter Ciuffreda from the Technology Firm In this session we are going to use CurrPorts to do some TCP/UDP port and application analysis Enjoy
  • Peter: so What is CurrPorts? Tony: It is a TCP/UDP port and application analysis tool used to display and log all currently open connections on your local computer. Peter: Does this application require installation? Tony: Well actually it doesn’t require an install. All you need to do is download it and put it in any folder which you would like to access it from. Peter: In other words it’s a portable app. I could also run it off of a portable storage device such as a USB flash drive. Tony: Yup, that’s right.
  • Peter: Why would we use CurrPorts? Tony: Like stated before, it is used for TCP/UDP port and application analysis. Peter: So could you use it to discover how many ports an application uses, and estimate how long the ports stay open. Tony: Exactly. We can also use it to kill processes that opened specific ports. Peter: Why would we want to kill a process? Tony: Well, if a process is using too many connections, you can kill it to try and speed up your other connections if needed. Also, if you know that you have a port limitation on connections, we can use CurrPorts to help stay within those limits. CurrPorts can also detect and mark with pink, suspicious ports being used by unknown applications.
  • Tony: The main window of CurrPorts displays all connections currently open, the Process Name of the application, the port and the IP of both the local and remote machines. Peter: From this screen capture we can see that the processes highlighted in green are the active connections. Tony: As discussed previously, the process highlighted in pink is an unknown application marked as suspicious. In this example we used the application IPERF which caused the suspicious process. Peter: If the active connections are marked in green, and the suspicious in red, then the unmarked processes (meaning the white) must be inactive, or applications that are listening. Tony: That’s right.
  • Peter: When CurrPorts is started for the first time, all the displayed options are turned on in the options menu. But are they all needed? Tony: Depending on what you are looking for you can change your display preferences. If you only want to see what processes are open or established, it would be a good idea to turn off display listening and display closed.
  • Peter: Why would we want all display options on? Tony: If you wanted to profile how a specific application uses ports you would want to have all options on. Peter: This would let us know if an application uses ports for listening, and if those ports are different than the ones it uses for active connection. Tony: That’s right.
  • Peter: From the Options Menu, we can set and change the auto refresh rate of the screen. Tony: The auto refresh rate also affects how often the log is updated. We will get into how to use the logs a bit later. Peter: It looks like we can also disable the auto refresh option. Tony: Disabling the auto refresh option means that the screen won’t refresh itself and your currently used processes will remain, but no new processes will appear and no old processes will disappear. Peter: This could be handy if you want to examine a certain process that appeared. You can always change the refresh rate back when you are done examining. Tony: Note that nowhere on the auto refresh option or on the screen does it inform you of the current refresh rate. The best way to find out what it is set to is to just reset it to your desired rate.
  • Peter; in this example the red application opened and closed a port within the refresh rate of 2 seconds. Therefore nothing would be displayed. Tony, The green application opened before the first refresh period and closed within the next interval. So you would see this application displayed with its relevant port information.
  • Tony: A nice feature in CurrPorts is the ability for filtering. Peter: We could use this feature to include or exclude specific processes, ports, or even IP addresses. Tony: The only issue with the filters option is that the syntax’s need to be exact. It is best to follow the examples in the Edit Filter window. You must have your Include or Exclude as the first thing in the syntax. Peter: Note that CurrPorts will not warn you if your syntax isn’t in the right format, it simply won’t work. This can be easily seen because processes or ports show up that shouldn’t.
  • Tony: Another helpful option is the logging feature which allows you to save a log file of the process that appears in CurrPorts. This is from the time you turn on the Log Changes option under the file menu, until it is turned off. Peter: Logging your files is a nice feature since it allows you to look back through the log in case there was something you missed when you took your eyes off the screen for a few seconds. Tony: We will see an example of a log file a bit later.
  • Peter: It would be great to see how everything in CurrPorts works. Tony: Lets show an example then of how CurrPorts can be used to examine a bittorrent client called uTorrent. Peter: First off, lets open the uTorrent application to discover what its process name appears as in CurrPorts. Once we get the process name we can create a filter to remove all other processes except uTorrent. Tony: Once the filter is created, we can set an auto refresh value of 2 seconds to see the most current changes. Peter: If you take a look at the main screen you should notice only processes for uTorrent. Tony: It would also be a good idea to create a log file to review later.
  • Peter: The log files show the date and time processes are added or removed, along with the process name, and both the local and remote IP addresses and the TCP or UDP port number.
  • Tony: For the sake of comparison lets open both CurrPorts and Wireshark to validate the accuracy of CurrPorts. Peter: We noticed that Wireshark is showing that in this case 2 TCP ports and 7 UDP were opened. Although when looking at the CurrPorts log file we can only see 1 TCP and 2 UDP port connections were established. Tony: The other port connections have not been logged if they happened within the 2 seconds between refreshes. This can make is difficult to capture short-lived connections.
  • Peter: Even though CurrPorts doesn’t appear to capture connections under 2 seconds it is still a nice application for finding out what ports applications use. Tony: The filtering feature is very powerful for concentrating on specific process, ports, etc, unfortunately you must be exact with your syntax’s in order for the filters to work. Peter: having the log files is also a nice feature to look back on things you may have misses, but it is also dependant on the refresh rate and you may miss some connections. Tony: Despite a few short comings I would still recommend this utility for your network toolbox.
  • Tony: Hope you enjoyed this tip Peter: Have a good day folks, bye for now.
  • OSTU - CurrPorts QuickStart (by Tony Fortunato & Peter Ciuffreda)

    1. 1. CurrPorts Training with Windows QuickStart Tony Fortunato, Sr Network Specialist Peter Ciuffreda, Network Technician The Technology Firm
    2. 2. What is CurrPorts? <ul><li>CurrPorts is; </li></ul><ul><ul><li>Go get it at http://www.nirsoft.net/utils/cports.html </li></ul></ul><ul><ul><li>Portable Utility - no installation or additional DDL’s required </li></ul></ul><ul><ul><li>Displays list of all currently opened TCP/IP and UDP ports on your local computer, including other logged in accounts. </li></ul></ul><ul><ul><li>For each open port also displays: - process name - version info of the process - full path of the process - time process created - user that created process </li></ul></ul>
    3. 3. Why use CurrPorts? <ul><li>CurrPorts can be used for the following tasks; </li></ul><ul><ul><li>Discover what and how many ports an application uses </li></ul></ul><ul><ul><li>Estimate length of time on port connections </li></ul></ul><ul><ul><li>Close unwanted connection; kill processes that opened the port(s) </li></ul></ul><ul><ul><li>Automatically marks with pink, unidentified, suspicious TCP/UDP ports </li></ul></ul><ul><ul><li>Discover the number(s) of ports you may want blocked on your network </li></ul></ul><ul><ul><li>Determine if you have TCP/UDP port limitations based on typical application usage </li></ul></ul>
    4. 4. CurrPorts Main Window <ul><li>The main window of CurrPorts displays all the applications open, both the local and remote TCP/IP or UDP port in use, the remote host name, the state of the connection, the process path, and even information on the application manufacturer. </li></ul><ul><li>Process that are highlighted in green are ones that are currently active. </li></ul><ul><li>Process that are highlighted in pink are marked as suspicious. </li></ul><ul><ul><li>This is caused by ports being used by a unidentified application </li></ul></ul><ul><li>Process that are white are listening application port numbers. </li></ul>Active Suspicious Listening
    5. 5. Recommended Options For Active Sessions DEFAULT Suggested
    6. 6. Recommended Options For An Application Profile DEFAULT
    7. 7. Refresh Rate And Options Menu <ul><li>If the application is a real time app, then the Refresh rate should be set to minimum value of 2 seconds </li></ul><ul><li>If the application is a command response/human interventions application then you can use a manual refresh rate or anything. </li></ul><ul><li>When doing this for the first time with any application leave all options selected </li></ul><ul><li>The “Advanced Filters” option allows you to set filters to include or exclude processes, IP addresses, or port numbers. </li></ul>
    8. 8. Polling Interval Example <ul><li>Polling/Refresh Interval = 2 Seconds </li></ul>0 2 4 Open Close Nothing Displayed .8 1.2 Open Close Application and Port Information Displayed 1 3
    9. 9. Filtering Notes <ul><li>If you type an incorrect filter syntax; </li></ul><ul><ul><li>CurrPorts will NOT WARN YOU of syntax Errors </li></ul></ul><ul><ul><li>CurrPorts will still show ALL the information </li></ul></ul><ul><ul><li>REFERENCE THE EXAMPLES IN THE FILTER DIALOGUE BOX NOTING INCLUDE AND EXCLUDE DETAILS </li></ul></ul><ul><li>CORRECT </li></ul><ul><li>INCORRECT </li></ul>
    10. 10. Logging Feature – from cports.chm <ul><li>Log File </li></ul><ul><li>CurrPorts allows you to save all changes (added and removed connections) into a log file. </li></ul><ul><li>To start writing to the log file, check the 'Log Changes' option under the File menu. </li></ul><ul><li>By default, the log file is saved as 'cports.log' in the same folder that cports.exe is located. </li></ul><ul><li>You can change the default log filename by setting the 'LogFilename' entry in cports.cfg file. . </li></ul><ul><li>Be aware that the log file is updated only when you refresh the ports list manually, or when the 'Auto Refresh' option is turned on. </li></ul>
    11. 11. Sample Application <ul><li>Observer the behavior of uTorrent </li></ul><ul><li>Start CurrPorts </li></ul><ul><li>Start uTorrent and note the Process Name used, shut down application </li></ul><ul><ul><li>ie uTorrent.exe in the example </li></ul></ul><ul><li>Create a filter via the funnel icon, or F9, or Options->Advanced Filters </li></ul><ul><li>Select appropriate refresh rate – 2 seconds for the uTorrent application </li></ul><ul><li>Clear Log File, and Select Log Changes </li></ul><ul><li>Run application </li></ul><ul><li>Review log file “cports.log” </li></ul>
    12. 12. Cports.log results <ul><li>In this example, we can see the connections being created and removed along with a timeline </li></ul><ul><li>You should always “Clear Log File” before starting your application </li></ul>
    13. 13. Comparison of Connections <ul><li>In this example Wireshark was used to validate and better understand the CPORTS refresh rate and reporting </li></ul><ul><li>Since the application opened and closed connection in BETWEEN the refresh rate, the connections were not recorded, nor displayed </li></ul>Cports App Wireshark Cports log
    14. 14. Pros and Cons Pro Cons Filtering helpful Limited commands and specific syntax Logging Dependant on the Refresh Rate Refresh Rate configurable May miss connections if they open/close within Refresh rate Great for Novice or to take a quick peek of port usage Inconsistently reports connections used Would recommend this utility despite its short comings
    15. 15. CurrPORTS Training - QuickStart Tony Fortunato, Sr Network Specialist Peter Ciuffreda, Network Technician The Technology Firm Thank you
    16. 16. <ul><li>For additional educational videos on Open Source Network Tools, please click on the following … </li></ul><ul><li>http://www.lovemytool.com/blog/ostu.html </li></ul>LoveMyTool.com – Community for Network Tools

    ×