Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Difference between Established/Listening Ports?

  • Please log in to reply
1 reply to this topic

#1 Grinler


    Lawrence Abrams

  • Admin
  • 43,714 posts
  • Gender:Male
  • Location:USA
  • Local time:05:45 PM

Posted 04 June 2004 - 03:46 PM

A user read my tutorial, Windows Forensics: Have I been Hacked? sent me an email asking the following:

With that being said, I would like to know how to analyze the TCPView? What does Listening and Established mean? What's normal and not so normal on Window XP Home Edition?

For those who do not know, TCPView by Sysinternals is a program that shows all listening and established sockets, or connections, on your computer in real time. It will also tell you what programs are using these particular connections, and who they may be connected to. Being able to see this is extremely important when doing Computer Forensics as you can see what ports are open and what programs are using them allowing you to easily pinpoint where a backdoor on the system may be present.

Now back to the question: :thumbsup:

When a program is running on a computer that uses TCP and waits for another computer to connect to it, it is said to be "listening" for connections. The program attaches itself to a port on your computer and waits for a connection. When it does this it is what is known as being in a listening state. When a remote computer connects to that particular port and "establishes" a connection, that particular sessions is known as an established session because the two computers are now connected to each other.

To sum it up, a listening port is one that is waiting for a connection. An established port is one that is connected to a remote computer.

As for what common ports that would be open on XP Home:

TCP 135
TCP 139
TCP 5000
TCP 1026
TCP 1027
UDP 137
UDP 138

Seeing those ports should not alarm you and it is not uncommon to see other ports listening as well. You should pay more attention to the program names that are listening on the Internet rather than the ports sometimes. If you see c:\windows\system32\svchost.exe listening on a few connections do not be alarmed. This is common as svchost.exe is a loader for many other programs.

Hope this clears up some of your questions.

Edit: Fixed broken link for TCPView.

Edited by quietman7, 30 November 2010 - 12:13 PM.

BC AdBot (Login to Remove)


#2 JEservices


    helping hand

  • Members
  • 1,700 posts
  • Location:Texas
  • Local time:04:45 PM

Posted 05 June 2004 - 07:38 AM

Thanks for the informatione. I currently use TCPView to monitor my ports, as well. I may not understand what I am seeing, but I am learning. It is a very useful program.

It would be nice, if you did a tutorial on TCPView.

Thanks for all your hard work in keeping everyone informed.
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users