FPort - crupper/Forensics-Tool-Wiki GitHub Wiki
#FPort
#####Source:Get FPort Here
##Description In order to show a list of opened ports on a system, you could use the command:
netstat -a
However, if you wanted to see which application opened that port, FPort is the tool for you. Designed for Windows NT, 2000, and XP, FPort displays the open ports and the executables that opened them. Other information given is the Process ID (PID), the protocol, and the path to the path to the executable. It used to be downloaded through foundstone.com, however Mcafee now provides the source.
##My Thoughts and Uses
To run FPort, one can simply type fport if it has been mapped as a path variable. Otherwise, navigate to the directory where fport.exe can be found and run that in a command prompt. FPort does not need any command line arguments.
fport.exe
In my own personal use, I used FPort to find out where the executable was that launched the srss process. An exampleof the output is as follows:
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
720 -> 135 TCP
4 System -> 139 TCP
4 System -> 445 TCP
1524 srss -> 1337 TCP C:\Windows\system32\srss.exe
0 System -> 123 UDP
0 System -> 137 UDP
0 System -> 138 UDP
720 -> 445 UDP
4 System -> 500 UDP
1524 srss -> 4500 UDP C:\Windows\system32\srss.exe
Overall, FPort provides a very useful function. I would recommend it to anyone performing a forensic analysis on a machine running Windows NT, 2000, or XP.
##Resources and more information: An interesting SANS whitepaper on FPort
A wikipedia article on FPort (warning: it is only in Portuguese)