4

What is the most ready way to log the PID and process name of anything making an outbound connection on port 25? This is on a 2008 x32 server without the windows firewall enabled.

I'm decommissioning and old mail server and unfortunately a lot of the processes were defined by hand pointing to this host. I've got over 90% of the configuration updated but the remainder is a bit of a mystery.

I was thinking about using the following but it'll generate a lot of noise since this is a web server. I'm also not sure if it would work since the windows firewall is disabled. 

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
Tim Brigham
  • 15,585
  • 2
    netstat -b says Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions. – NickW Apr 11 '13 at 16:10
  • @NickW - That would require running it whist the email is being generated though wouldn't it? I've never used netstat used for prolonged data collection. – Tim Brigham Apr 11 '13 at 16:13
  • 1
    Have a look at the interval part of netstat, you could have it run every x seconds.. possibly pipe it through the windows equivalent of grep.. Also look at -o which will give you the process id, if you started piping itinto a log file filtering on port 25, it shouldn't get too huge one hopes.. – NickW Apr 11 '13 at 16:16
  • Findstr seems to be the windows equiv :) – NickW Apr 11 '13 at 16:16
  • 2
    as an alternative you could install netmon 3.4 on it, but I'd do the netstat routine 1st. – tony roth Apr 11 '13 at 16:42
  • @NickW, why not put that as the answer? Also, netmon, wireshark, etc. – Ben Apr 25 '13 at 08:46
  • @Ben, because in all honesty, I don't know if that was of any worth to him :) – NickW Apr 25 '13 at 08:52

1 Answers1

1

Use one of the following port logging tools:

generalnetworkerror
  • 401