Audit network connections in Windows with TCPView, TCPvcon, and Netstat

If you're wondering what devices your computer is "talking" to right now, you've come to the right place: the systems Windows They come with tools to view it and there are advanced utilities that make it even easier. TCPView, from Sysinternals (Microsoft), is one of the fastest ways to audit live connections. without getting lost in the console.

In corporate or home environments, knowing which processes connect to the Internet and which destinations they communicate with is vital for diagnosing problems, validating firewall rules, or detecting suspicious activity. In addition to Netstat, TCPView adds a real-time view, color highlighting, and direct connection management, making it a practical substitute for daily auditing.

What is TCPView and why it is a practical replacement for Netstat?

TCPView is a free utility from Microsoft Sysinternals that displays, in real time, all the TCP and UDP endpoints of the system with their local/remote addresses and status (e.g., ESTABLISHED, TIME_WAIT). Unlike a textual dump, its interface allows you to identify at a glance which process is behind each socket.

One of its greatest attractions is that, next to each connection point, you will see the name of the owning process and, where applicable, the name of the associated serviceThis way, you not only detect the port and IP address, but also who opened it, which is essential for narrowing down network diagnostics or hunting for malware.

From a functional point of view, TCPView offers a subset of netstat presented in a clearer and more actionable way. Also included in the download package is Tcpvcon, a line version of commands with equivalent capabilities for automating or recording from scripts.

By default, the view refreshes every second, although you can change this from Options | Update FrequencyThe program highlights the changes between cycles: New endpoints in green, status changes in yellow, and dropped connections in red., so that the activity is effortlessly obvious.

Another key advantage is that it allows you to act on what you see: you can Close established TCP connections from File | Close Connections or the context menu, which is especially useful for nipping unwanted communications in the bud while you continue your research.

If you need to preserve evidence or document a session, the application allows save the output to disk using the Save menuAnd if you prefer human-readable hostnames, you can toggle DNS resolution from the toolbar or menu.

As for compatibility, TCPView works on Windows 8.1 and later on the client, and Windows Server 2012 and later on the server, so it broadly covers current desktop and server scenarios.

The official download is available from Microsoft and you can also Run the utility instantly with Sysinternals Live. The binary size is currently around 1,5 MB, although it was lighter in older versions; in any case, it is a portable tool that does not require installation.

As a historical reference, the project bears the signature of Mark Russinovich and its documentation has been recently updated (e.g., April 11, 2023). This ensures continued support and maintenance by the Sysinternals team..

Basic use of TCPView in Windows

When you open TCPView, the program lists all active TCP/UDP endpoints and, if you have it enabled, resolves IP addresses to domain names for readabilityYou can turn that resolution on or off depending on whether you need quick analysis or numerical precision.

Note the columns for process, protocol, addresses/ports, and status: Sorting by process or port helps you group activity and detect patterns (for example, massive connections to SMTP or known command and control servers).

The refresh every second marks the activity in colors: if you see a lot of green and red flashing frequently, it may indicate Recurring connection attempts, scans, or aggressive reconnections from an applicationThis color coding speeds up decision-making at critical moments.

Need to cut traffic hot? Select one or more rows with a set status and use File | Close Connections or right-click to close the socketThis is a temporary action (the app might reconnect), but it's useful for stopping exfiltration or spam while you adjust policies.

To collect evidence or share with the team, it is convenient save a window dump with the Save menu. This capture makes it easy to correlate events with logs firewall, IDS or EDR and document the incident.

If your goal is to work with pure IPs, disable name resolution. In environments with internal DNS, the hostname can provide context, but Numeric IP addresses prevent confusion from unwanted reverse resolutions during a forensic audit.

A practical note: although TCPView doesn't require installation, run it with the appropriate permissions to see all activity. Opening it with elevated privileges ensures that you can observe system processes and services. that might otherwise be out of your sight.

Tcpvcon: the console version for automating audits

If you prefer to integrate auditing into scripts or schedule periodic logs, Tcpvcon offers the same observability from the command line with very direct use. It is ideal for collecting statements in batches or generating CSVs for further analysis.

Basic use of the tool:

tcpvcon [-a] [-c] [-n] [nombre_de_proceso_o_PID]

The most useful modifiers are:

- -a: shows all endpoints (if you don't use this, you'll mostly see established TCP connections). Perfect for a complete system photo unfiltered by state.

- -c: Exports the output as CSV. Ideal for opening in Excel or feeding a SIEM with tabulated data on processes, ports and states.

- -n: does not resolve names; prints numeric addresses. Avoids DNS latencies and maintains forensic accuracy in critical environments.

Quick use case example: you know the suspicious PID and want to list its activity without resolving names; it would be enough tcpvcon -a -n 784 to see your active connections. Combining filters allows you to drill down into the details of a specific process with minimal friction..

Netstat for viewing active connections: when to use it and how to compare it

Netstat is the veteran of the place: it comes integrated into Windows and, well used, allows you to inspect TCP/UDP connections, listening ports and statuses. Its output is "more static" in the sense that it requires relaunching to update, but it's still valuable.

Key commands to have on hand:

netstat          # lista conexiones y puertos con nombres
netstat -n       # muestra IPs y puertos en formato numérico
netstat -a       # todas las conexiones y puertos en escucha
netstat -b       # requiere admin; muestra el ejecutable asociado

The -b modifier It is especially interesting to see what binary is behind a connection, but remember to open the console as administrator. Without elevation, some process information may not be displayed..

If you want live monitoring with colors, visual filters, and the ability to close connections, TCPView It will save you time. If you need something quick from the console or you're on a server without a GUI, netstat or Tcpvcon are a safe bet.

Real-life scenarios: detecting malware, SMTP spam, and firewall errors

A common situation in SMBs: the ISP blocks port 25 due to spam detection. Instead of spending hours with antimalware on dozens of computers, you can Launch TCPView on each PC (a one-minute task) and locate the culprit in seconds. seeing multiple simultaneous outgoing SMTP connections.

On computers compromised by mass-mailing Trojans, you will see multiple remote destinations on port 25 or 587 with constant activityCompared to a clean machine (without any strange spikes), the contrast is obvious and allows you to quickly isolate the affected equipment.

Another scenario: a Poor port forwarding configuration on the firewall This leaves the server too exposed. TCPView may show fleeting connections from unknown remote IP addresses with low data volumes. This could be internet noise, scans or failed attempts., but it is not advisable to ignore it.

In domain diagnostics, it is common to see connections associated with PID 4 (System) to domain controllersThis activity is not necessarily malicious: the operating system and kernel services are establishing legitimate communications. The key is to correlate schedules, ports and protocols with the server functions.

If you have IDS/IPS, alerts provide context. For example, an alert about SERVER-WEBAPP Linksys E-series HNAP TheMoon (RCE attempt) Indicates scans or attacks targeting vulnerable routers. It does not imply a compromise on your Windows host, but Yes, it suggests reviewing exposure and hardening perimeters.

Good practices during research:
- Freeze evidence saving TCPView output and firewall/IDS logs.
- Check open services with netstat/Tcpvcon and compare them with the expected configuration.
- Review NAT/port forwarding rules and close the unnecessary ones.
- Check processes and signatures of suspicious executables with their path and publisher.
These actions, along with temporary connection cuts from the interface, help contain the incident while you plan permanent measures.

Complementary tools for a complete network audit

In addition to TCPView and Netstat, it's worthwhile to rely on well-known network utilities that broaden your scope. Using them for defensive purposes gives you a head start on how attackers work. and helps you understand your exposure area.

- TCPDump and WinDump: Command-line traffic capturers. They allow Dump packets for analysis and see what's flowing through the networkWinDump requires WinPcap/Npcap on Windows. They're powerful, but their reading curve is more technical.

- Nmap: Port scanner and service audit. Sends predefined packets to IP ranges to discover hosts, open ports, services and sometimes the operating systemIt's essential to validate what you're actually exposing to the network.

- Wireshark: protocol analyzer with graphical interface. Allows inspect and decapsulate TCP/UDP packets in great detail, ideal for diagnosing fine communication problems or studying protocols.

- Aircrack-ng: suite for wireless networks oriented to Audit WEP/WPA/WPA2 key strength and analyze Wi-Fi packets. Useful for evaluating corporate Wi-Fi security and password policies.

- Time Linux: Penetration testing-oriented distribution that brings together dozens of tools (including several of the previous ones). It can be run live from USB or settle in, and many utilities offer a graphical interface in addition to a console.

These solutions do not replace TCPView, but rather complement it: TCPView It gives you the "who and now" at the process level, Nmap for service exposure, and Wireshark/TCPDump for packet viewing. Together they make up a robust workflow for detect anomalies, confirm findings and strengthen controls.

Download, execution and compatibility

You can get the utility from the official Microsoft Sysinternals website. The current download weighs around 1,5 MB and is supplied as a portable binaryIf you prefer not to download anything, it is also possible run it on the fly via Sysinternals Live directly from the Internet.

Summary of execution requirements:

• Client: Windows 8.1 or later.
• employee: Windows Server 2012 or later.

To take advantage of all the capabilities, it is advisable run as administrator in troubleshooting sessions, especially if you are going to use netstat -bo you need to see system processes.

What to choose for everyday use? For rapid surveillance and triage, TCPView It is agile, visual and actionable. For scripting, inventory and periodic records, Tcpvcon and netstat cover the flow by console. In incidents with real suspicion, combines these views with captures and scans to move from hypothesis to evidence.

With such a light tool and the ability to cut specific sockets, You gain time to implement permanent corrective measures (firewall policies, service hardening, segmentation, or even reinstallation when it's most prudent). That balance between visibility and immediate action is precisely where TCPView shines.