Microsoft KB Archive/832919

= New features and functionality in PortQry version 2.0 =

Article ID: 832919

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-





IN THIS TASK

 * SUMMARY
 * Overview
 * Port status reporting
 * PortQry version 2.0 features
 * LDAP support
 * RPC support
 * DNS support
 * NetBIOS name service support
 * SNMP support
 * ISA Server support
 * SQL Server 2000 support
 * TFTP support
 * L2TP support
 * Customize ports that queries use
 * Additional service information returned
 * PortQry command-line options
 * Additional features
 * PortQry interactive mode
 * PortQry local mode
 * REFERENCES



SUMMARY
This article discusses the new features and functionality that are available in PortQry Command Line Port Scanner version 2.0.

PortQry version 1.22 is a TCP/IP connectivity testing utility that is included with the Microsoft Windows Server 2003 Support Tools. Microsoft has released a new version of PortQryV2.exe. This new version includes all the features and functionality of the earlier version and has new features and functionality. PortQryV2.exe is available from the Microsoft Download Center. To obtain PortQryV2.exe, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en

back to the top

Overview
PortQry is a command-line utility that you can use to help troubleshoot TCP/IP connectivity issues. This utility reports the port status of target TCP and User Datagram Protocol (UDP) ports on a local computer or on a remote computer. PortQry version 2.0 also provides detailed information about the local computer's port usage. PortQry version 2.0 runs on all the following operating systems:
 * Microsoft Windows Server 2003
 * Microsoft Windows XP
 * Microsoft Windows 2000

back to the top

Port status reporting
PortQry reports the status of a port in one of the following ways:  LISTENING This response indicates that a process is listening on the target port. PortQry received a response from the target port. NOT LISTENING This response indicates that no process is listening on the target port. PortQry received one of the following Internet Control Message Protocol (ICMP) messages from the target port:

Destination unreachable

Port unreachable

 FILTERED This response indicates that the target port is being filtered. PortQry did not receive a response from the target port. A process may or may not be listening on the target port. By default, PortQry queries a TCP port three times before it returns a response of FILTERED and queries a UDP port one time before it returns a response of FILTERED.

back to the top

PortQry version 2.0 features
Depending on the process that listens on a UDP port, sometimes it may be difficult to determine the status of that UDP port. When an unformatted zero-length or fixed-length message is sent to a target UDP port, the port may or may not respond. If the port responds, it has a status of LISTENING. If you receive an ICMP &quot;Destination unreachable&quot; message from a UDP port, or if a TCP reset response is returned from a TCP port, the port has a status of NOT LISTENING. Typical port scanning tools report that the port has a LISTENING status if the target UDP port does not return an ICMP &quot;Destination unreachable&quot; message. This result may not be accurate for one or both of the following reasons:
 * When there is no response to a directed datagram, the target port may be FILTERED.
 * Most services do not respond to an unformatted user datagram that is sent to them.

Typically, only one correctly formatted message that uses the session layer or that uses the application layer protocol that the listening service or the program understands elicits a response from the target port.

When you troubleshoot a connectivity problem, especially in an environment that contains one or more firewalls, it is useful to know if a port is being filtered or if it is listening. PortQry includes some special features to help make this determination on selected ports. If there is no response from a target UDP port, PortQry reports that the port is LISTENING or FILTERED. PortQry then sends a correctly formatted message that the listening service or program understands. PortQry uses the correct session layer or application layer protocol to determine if the port is listening. PortQry uses the Services file that is located in the %SYSTEMROOT%\System32\Drivers\Etc folder to determine which service listens on each port.

Note This file is stored on each Microsoft Windows Server 2003, Windows XP, and Windows 2000-based computer.

Because PortQry is intended as a troubleshooting tool, it is expected that users who use it to troubleshoot a particular problem have sufficient knowledge of their computing environment. PortQry version 2.0 supports the following session layer and application layer protocols:
 * Lightweight Directory Access Protocol (LDAP)
 * Remote Procedure Calls (RPC)
 * Domain Name System (DNS)
 * NetBIOS Name Service
 * Simple Network Management Protocol (SNMP)
 * Internet Security and Acceleration Server (ISA)
 * SQL Server 2000 Named Instances
 * Trivial File Transfer Protocol (TFTP)
 * Layer Two Tunneling Protocol (L2TP)

Additionally, PortQry version 2.0 can accurately determine if more UDP ports are open than can PortQry version 1.22.

back to the top

LDAP support
PortQry can send an LDAP query by using both TCP and UDP and interpret an LDAP server's response to that query correctly. PortQry parses, formats, and then returns the response from the LDAP server to the user. For example, you type the following command, and then press ENTER:

portqry -n  -p udp -e 389

PortQry then performs the following actions:
 * 1) PortQry uses the Services file in the %SYSTEMROOT%\System32\Drivers\Etc folder to resolve the UDP port 389. If PortQry resolves the port to the LDAP service, PortQry sends an unformatted user datagram to UDP port 389 on the destination computer.

PortQry does not receive a response from the target port because the LDAP service only responds to a correctly formatted LDAP query.
 * 1) PortQry reports that the port is LISTENING or FILTERED.
 * 2) PortQry sends a correctly formatted LDAP query to UDP port 389 on the destination computer.
 * 3) If PortQry receives a response to this query, it returns the whole response to the user and reports that the port is LISTENING.

If PortQry does not receive a response to this query, it reports that the port is FILTERED.

Sample output
UDP port 389 (unknown service): LISTENING or FILTERED Sending LDAP query to UDP port 389...

LDAP query response:

currentdate: 12/13/2003 05:42:40 (unadjusted GMT) subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com dsServiceName: CN=NTDS Settings,CN=myserver,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=example,DC=com namingContexts: DC=domain,DC=example,DC=com defaultNamingContext: DC=domain,DC=example,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com configurationNamingContext: CN=Configuration,DC=domain,DC=example,DC=com rootDomainNamingContext: DC=domain,DC=example,DC=com supportedControl: 1.2.840.113556.1.4.319 supportedLDAPVersion: 3 supportedLDAPPolicies: MaxPoolThreads highestCommittedUSN: 4259431 supportedSASLMechanisms: GSSAPI dnsHostName: myserver.domain.example.com ldapServiceName: domain.example.com:myserver$@domain.EXAMPLE.COM serverName: CN=myserver,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=example,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 0 forestFunctionality: 0 domainControllerFunctionality: 2

== End of LDAP query response
==

UDP port 389 is LISTENING In this example, you determine that port 389 is listening. Additionally, you can determine which LDAP service is listening on port 389 and certain details about that service.

back to the top

RPC support
PortQry can send an RPC query by using both TCP and UDP and interpret the response to that query correctly. This query returns (dumps) all the end points that are currently registered with the RPC endpoint mapper. PortQry parses, formats, and then returns the response from the RPC endpoint mapper to the user. For example, you type the following command, and then press ENTER:

portqry -n  -p udp -e 135

PortQry then performs the following actions:
 * 1) PortQry uses the Services file in the %SYSTEMROOT%\System32\Drivers\Etc folder to resolve the UDP port 135. If PortQry resolves the port to the RPC End Point Mapper service (Epmap), PortQry sends an unformatted user datagram to UDP port 135 on the destination computer.

PortQry does not receive a response from the target port because the RPC endpoint mapper service only responds to a correctly formatted RPC query.
 * 1) PortQry reports that the port is LISTENING or the port is FILTERED.
 * 2) PortQry sends a correctly formatted RDC query to UDP port 135 on the destination computer. This query returns all the endpoints that are currently registered with the RPC endpoint mapper.
 * 3) If PortQry receives a response to this query, PortQry returns the whole response to the user and reports that the port is LISTENING.

If PortQry does not receive a response to this query, it reports that the port is FILTERED.

Sample output
UDP port 135 (epmap service): LISTENING or FILTERED Querying Endpoint Mapper Database... Server's response:

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 ncacn_ip_tcp:169.254.12.191[4144]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface ncacn_np:\\\\MYSERVER[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_ip_tcp:169.254.12.191[1030]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncadg_ip_udp:169.254.12.191[1032]

UUID: 12345678-1234-abcd-ef00-01234567cffb ncacn_np:\\\\MYSERVER[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb ncacn_np:\\\\MYSERVER[\\PIPE\\POLICYAGENT]

Total endpoints found: 6

End of RPC Endpoint Mapper query response
UDP port 135 is LISTENING In this example, you determine that port 135 is listening. Additionally, you can determine which services or programs are registered with the RPC endpoint mapper database on the destination computer. The output includes the universal unique identifier (UUID) for each program, the annotated name (if one exists), the protocol that each program uses, the network address that the program is bound to, and the program's endpoint in square brackets.

Note When you specify the -r option in the PortQry.exe command to scan a range of ports, the RPC End Point Mapper is not queried. This makes the scan of a range of ports faster.

back to the top

DNS support
PortQry can send a correctly formatted DNS query by using both TCP and UDP. PortQry sends a DNS query for the following fully qualified domain name (FQDN):

portqry.microsoft.com

PortQry then waits for a response from the destination DNS server. If the server returns a response, PortQry determines that the port is LISTENING.

Note It is not important whether the DNS server returns a negative response. Any response indicates that the port is listening.

back to the top

NetBIOS name service support
By default, the NetBIOS name service listens on UDP port 137. When PortQry determines that this port is LISTENING or FILTERED, PortQry performs the following actions to determine whether the port is actually listening:
 * 1) If NetBIOS is available on the computer where you are running PortQry, PortQry sends a NetBIOS adapter status query to the destination computer.
 * 2) If the destination computer responds to this query, PortQry reports that the target port is LISTENING, and then returns the destination computer's media access control (MAC) address to the user.

If NetBIOS is not available on the computer where you are running PortQry, PortQry does not try to send a NetBIOS adapter status query to the destination computer.

back to the top

SNMP support
SNMP support is a new feature in PortQry version 2.0. By default, the SNMP service listens on UDP port 161. To determine whether port 161 is listening, PortQry sends a query that is formatted in the way that the SNMP service accepts. The SNMP service is configured with a community name or a string that you must know to obtain a response from the server. With PortQry, you can specify SNMP community names when you query this port. By default, PortQry uses the community name, &quot;Public.&quot; To specify a different community name, use the -cn command-line option. When you specify a community name in the PortQry.exe command, enclose that community name in exclamation marks (!). For example, to specify a community name such as, type a command that is similar to the following command:

portqry -n 127.0.0.1 -e 161 -p udp -cn ! !

Sample output
Querying target system called:

127.0.0.1

querying...

UDP port 161 (snmp service): LISTENING or FILTERED

community name for query:

secure123

Sending SNMP query to UDP port 161...

UDP port 161 is LISTENING back to the top

ISA Server support
Microsoft ISA Server support is a new feature in PortQry version 2.0. By default, ISA Server uses TCP port 1745 and UDP port 1745 to communicate with Winsock proxy clients and with firewall clients. Computers that have the Winsock proxy client program or the Firewall client program installed use these ports to request services from ISA Server and to download configuration information. Typically, these services include name resolution services and other services that are not HTTP-based (for example, Winsock connections). To determine whether the port is listening, PortQry sends a query that is formatted in the way that ISA Server accepts.

Sample output
For example, you type a command that is similar to the following command:

portqry -n  -p udp -e 1745

You receive the following output: Querying target system called:

myproxy-server

Attempting to resolve name to IP address...

Name resolved to 169.254.24.86

querying...

UDP port 1745 (unknown service): LISTENING or FILTERED

Sending ISA query to UDP port 1745...

UDP port 1745 is LISTENING When PortQry queries TCP port 1745, PortQry downloads the Mspclnt.ini file from the ISA Server if the Mspclnt.ini file is available on that port. The Mspclnt.ini file contains configuration information that Winsock proxy clients and Firewall clients use.

Sample output
TCP port 1745 (unknown service): LISTENING

Sending ISA query to TCP port 1745...

ISA query response:

10.0.0.0       10.255.255.255 127.0.0.1       127.0.0.1 169.254.0.0     169.254.255.255 192.168.0.0     192.168.255.255 127.0.0.0       127.255.255.255

[Common] myproxy-server.example.com Set Browsers to use Auto Detect=1 AutoDetect ISA Servers=1 WebProxyPort=8080 Port=1745 Configuration Refresh Time (Hours)=2 Re-check Inaccessible Server Time (Minutes)=10 Refresh Give Up Time (Minutes)=15 Inaccessible Servers Give Up Time (Minutes)=2 [Servers Ip Addresses] Name=myproxy-server [My Config] Path1=\\myproxy-server\mspclnt\
 * This file should not be edited.
 * Changes to the client configuration should only be made using ISA Management.
 * Changes to the client configuration should only be made using ISA Management.

== End of ISA query response
== back to the top

SQL Server 2000 support
Microsoft SQL Server 2000 support is a new feature in PortQry version 2.0. PortQry queries UDP port 1434 to query all the SQL Server named instances that are running on a SQL Server 2000 computer. PortQry sends a query that is formatted in the way that SQL Server 2000 accepts to determines whether this port is listening.

Sample output
For example, you type a command that is similar to the following command:

portqry -n  -e 1434 -p udp

You receive the following output: <pre class="fixed_text">Querying target system called:

192.168.1.20

querying...

UDP port 1434 (ms-sql-m service): LISTENING or FILTERED

Sending SQL Server query to UDP port 1434...

Server's response:

ServerName SQL-Server1 InstanceName MSSQLSERVER IsClustered No Version 8.00.194 tcp 1433 np \\SQL-Server1\pipe\sql\query

End of SQL Server query response
UDP port 1434 is LISTENING back to the top

TFTP support
TFTP support is a new feature in PortQry version 2.0. By default, TFTP servers listen on UDP port 69. PortQry sends a query that is formatted in the way that the TFTP server accepts to determine whether this port is listening.

Sample output
For example, you type a command that is similar to the following command:

portqry -n  -p udp -e 69

You receive the following output: <pre class="fixed_text">Querying target system called:

myserver.example.com

Attempting to resolve name to IP address...

Name resolved to 169.254.23.4

querying...

UDP port 69 (tftp service): LISTENING or FILTERED

Sending TFTP query to UDP port 69...

UDP port 69 is LISTENING back to the top

L2TP support
L2TP support is a new feature in PortQry version 2.0. Routing and Remote Access servers and other virtual private networking (VPN) servers listen on UDP port 1701 for inbound L2TP connections. PortQry sends a query that is formatted in the way that the VPN server accepts to determine whether this port is listening.

Sample output
For example, you type a command that is similar to the following command:

portqry -n  -e 1701-p udp

You receive the following output: <pre class="fixed_text">Querying target system called:

vpnserver

Attempting to resolve name to IP address...

Name resolved to 169.254.12.225

querying...

UDP port 1701 (l2tp service): LISTENING or FILTERED

Sending L2TP query to UDP port 1701...

UDP port 1701 is LISTENING back to the top

Customize ports that queries use
By default, every Windows Server 2003, Windows XP, and Windows 2000-based computer has a Services file that is located in the %SYSTEMROOT%\System32\Drivers\Etc folder. PortQry uses this file to resolve port numbers to their corresponding service names. The content of this file dictates the ports where PortQry sends formatted messages when you use the PortQry.exe command. You can edit this file to direct PortQry to send formatted messages to an alternative port. For example, the following entry appears in a typical Services file: ldap             389/tcp                           #Lightweight Directory Access Protocol You can edit this port entry or add an additional entry. To cause PortQry to send LDAP queries to port 1025, modify the entry to the following entry: ldap             1025/tcp                           #Lightweight Directory Access Protocol back to the top

Additional service information returned
PortQry displays extended information that some ports may return. PortQry looks for this &quot;extended information&quot; on ports where the following services listen:
 * Simple Mail Transfer Protocol (SMTP)
 * Microsoft Exchange POP3
 * Microsoft Exchange IMAP4
 * FTP Publishing Service
 * ISA Server services

For example, by default, the FTP service listens on TCP port 21. When PortQry determines that TCP port 21 on the destination computer is LISTENING, it uses the information from the Services file to determine that the FTP service is listening on this port.

Note You can change the service that PortQry determines is listening on a port by editing the Services file. For additional information, see the &quot;Customize ports that queries use&quot; section of this article.

In this scenario, PortQry tries to use the Anonymous user account to log on to the FTP server. The result of this logon attempt indicates whether the destination FTP server accepts anonymous logons. PortQry returns the server's response.

Example 1: You type a command that is similar to the following command, and then press ENTER:

portqry -n  -p tcp -e 21

You receive a response that is similar to the following response: <pre class="fixed_text">TCP port 21 (ftp service): LISTENING

Data returned from port: 220 Microsoft FTP Service

331 Anonymous access allowed, send identity (e-mail name) as password. In Example 1, you can determine the type of FTP server that is listening on the target port and whether the FTP server is configured to permit anonymous user logons.

Example 2: You type a command that is similar to the following command, and then press ENTER:

portqry -n  -p tcp -e 25

You receive a response that is similar to the following response: <pre class="fixed_text">TCP port 25 (smtp service): LISTENING

Data returned from port: 220 MyMailServer.domain.example.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Mon, 15 Dec 2003 10:24:50 -0800 In Example 2, you can determine the type of SMTP server that is listening on the target port.

back to the top

PortQry command-line options
You can use the following command-line options with PortQry:  -n (name): This parameter is required. Use this parameter to specify the destination computer. You can specify a host name or a host IP address. However, you cannot embed spaces in the host name or in the IP address. PortQry resolves the host name to an IP address. If PortQry cannot resolve the host name to an IP address, the tool reports an error, and then exits. If you enter an IP address, PortQry resolves it to a host name. If the resolution is unsuccessful, PortQry reports an error, but continues to process the command.

Examples

portqry -n 

portqry -n 

portqry -n 

</li> -p (protocol): This parameter is optional. Use this parameter to specify the type of port or protocol that is used to connect to the target port on the destination computer. If you do not specify a protocol, PortQry uses TCP as the protocol.

Valid parameters  TCP (default): Specifies a TCP end point.</li> UDP: Specifies a UDP end point.</li> BOTH: Specifies both a TCP end point and a UDP end point. When you use this option, PortQry queries both the TCP end point and the UDP end point that you specify.</li></ul>

Examples

portqry -n  -p tcp

portqry -n  -p udp

portqry -n  -p both

portqry -n  (This command uses the default parameter tcp.)

</li> -e (endpoint): This parameter is optional. Use this parameter to specify the end point (or the port number) on the destination computer. This must be a valid port number between 1 and 65535 inclusive. You cannot use this parameter together with the -o parameter or the -r parameter. If you do not specify a port number, PortQry queries port 80.

Examples

portqry -n  -p udp -e 139

portqry -n  -p tcp -e 25

portqry -n  (This command uses the default parameter of port 80.)

portqry -n  -p both -e 60897

</li> -o (order): This parameter is optional. Use this parameter to specify a certain number of ports to be queried in a particular order. You cannot use this option together with the -e parameter or together with the -r parameter. When you use this parameter, use commas to delimit the port numbers. You can enter the port numbers in any order. However, you cannot leave spaces between the port numbers and the comma delimiters.

Examples

portqry -n  -p udp -o 139,1025,135

portqry -n  -p tcp -o 143,110,25

portqry -n  -p both -o 100,1000,10000

</li> -r (range): This parameter is optional. Use this parameter to specify a range of port numbers to query in sequential order. You cannot use this option together with the -e parameter or together with the -o parameter. When you use this parameter, use a semi-colon to delimit the starting port number and the ending port number. Specify a starting port that is lower than the ending port. Additionally, you cannot put spaces between the port numbers and the semi-colon. When you use this parameter, the RPC End Point Mapper is not queried.

Examples

portqry -n  -p udp -r 135;139

portqry-n  -p tcp -r 10;20

portqry -n  -p both -r 25;120

</li> -l (log file): This parameter is optional. Use this parameter to specify a log file to record the output generated by PortQry. When you use this parameter, specify a file name together with the file name extension. You cannot type spaces in the log file name. The log file is created in the folder where PortQry runs. PortQry generates the log file output in text format. If an existing log file with the same name exists, you are prompted to overwrite it when you run the PortQry command.

Examples

portqry -n  -p udp -r 135;139 -l myserverlog.txt

portqry -n  -p tcp -o 143,110,25 -l portqry.log

portqry -n  -p both -e 500 -l ipsec.txt -y

</li> -y (yes, overwrite): This parameter is optional. Use this parameter together with the -l parameter to suppress the &quot;overwrite&quot; prompt when a log file exists that has the same name that you specify in the PortQry command. When you use this parameter, PortQry overwrites the existing log file without prompting you.

Examples

portqry -n  -p udp -r 135;139 -l myserverlog.txt -y

portqry -n  -p tcp -o 143,110,25 -l portqry.log -y

</li> -sl (slow link): This parameter is optional. Use this parameter to cause PortQry to wait longer for responses from UDP queries. Because UDP is a connectionless protocol, PortQry cannot determine whether the port is slow to respond or the port is filtered. This option doubles the time that PortQry waits for a response from a UDP port before PortQry determines that the port is NOT LISTENING or that it is FILTERED. Use this option when you query a UDP port across a slow or unreliable network link.

Examples

portqry -n  -p udp -r 135;139 -l   -sl

portqry -n  -p tcp -o 143,110,25 -sl

portqry -n  -p both -e 500 -sl

</li> -nr (no reverse name lookup): This parameter is optional. Use this parameter to bypass the reverse name lookup that PortQry performs when you specify an IP address together with the -n parameter. By default, when you specify an IP address together with the -n parameter, PortQry tries to resolve the IP address to a host name. This process may be time-consuming, especially if PortQry cannot resolve the IP address. When you specify the -nr parameter, PortQry does not look up the IP address to return the host name. Instead, PortQry queries the target ports immediately. The -nr parameter is ignored if you specify a host name together with the -n parameter.

Examples

portqry -n  -p udp -r 135:139 -l   -s -nr

portqry -n  -p tcp -o 143,110,25 -s -nr

portqry -n  -p both -e 500 -s -nr

</li>  -q (quiet mode): This parameter is optional. Use this parameter to cause PortQry to suppress all output to the screen except for error messages. This parameter is especially helpful when you configure PortQry for use in a batch file. Depending on the status of the port, this parameter returns the following outputs:  <li>0 (zero) is returned if the target port is LISTENING.</li> <li>1 is returned if the target port is NOT LISTENING.</li> <li>2 is returned if the target port is LISTENING or FILTERED.</li></ul>

You can only use this parameter together with the -e parameter. You cannot use this parameter together with the -o parameter or together with the -r parameter. Additionally, you cannot use this parameter together with the -p parameter when you set the value of the -p parameter to Both.

Important When you use the -q parameter together with the -l (log file) parameter, PortQry overwrites an existing log file that has the same name without first prompting you for permission to do so.

Sample batch file :Top portqry -n 169.254.18.22 -e 135 -p tcp -q if errorlevel = 2 goto filtered if errorlevel = 1 goto failed if errorlevel = 0 goto success goto end


 * filtered

Echo Port is listening or filtered goto end


 * failed

Echo Port is not listening Goto end


 * success

Echo Port is listening goto end


 * end </li>

<li>-cn (community name): This parameter is optional. Use this parameter to specify a community string or community name to use when you send an SNMP query. With this parameter, you must enclose the community string with exclamation marks (!). This parameter is ignored if you do not query a port where SNMP is listening.

Examples

'''portqry -n  -p udp -e 161 -l   -cn ! !'''

'''portqry -n  -p both -r 150:170 -sl -cn ! !'''

</li> <li>-sp (source port): This parameter is optional. Use this parameter to specify the initial source port to use when you connect to the specified TCP and UDP ports on the destination computer. This functionality is useful to help you test firewall or router rules that filter ports based on their source ports.

Example

portqry -p udp -e 53 - sp 3001 -n 192.168.1.20

In this example, PortQry uses UDP port 3001 on the local computer to send the query. Replies from this query go to UDP port 3001 on the local computer. PortQry cannot use the specified source port if another process already has bound to the port. In this scenario, PortQry returns the following error message:

Cannot use specified source port.

Port is already in use.

Specify a port that is not in use and run the command again.

PortQry uses the specified source port when it sends the initial query to the destination computer. PortQry also uses this specified source port if it tries to use protocols such as FTP, SMTP, POP, IMAP, DNS, SNMP, ISA Server, and other protocols to query the destination computer. There are only the following exceptions to this rule:

RPC (TCP and UDP ports 135)

LDAP (UDP port 389)

NetBIOS Adapter status query (UDP port 137)

Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500)

In these exceptional cases, PortQry uses the specified source port for its initial query. When it tries to query the destination computer through one of the exceptional protocols, it queries the destination computer through an ephemeral source port. For example, if you specify the source port of 3000 when you query UDP port 389 (LDAP), PortQry uses UDP port 3000 if it is available for the initial UDP datagram that is sent to the LDAP port. When PortQry sends an LDAP query to the LDAP port, PortQry use an ephemeral port instead of the specified source port. (In this example, the specified source port is 3000). When PortQry uses an ephemeral port for specific queries, PortQry sends the following message:

Using ephemeral source port

With ISAKMP/IPSec, the IPSec policy agent may only send responses from queries back to UDP port 500. In this case, it is best for PortQry to use UDP port 500 as the source port for the query. If the IPSec policy agent is running on the computer where PortQry runs, UDP port 500 is unavailable because the policy agent is using the port. In this case, PortQry returns the following message:

Cannot use source port 500, this port is already in use. Remote ISAKMP/IPSec services may only communicate with source port 500.

Temporarily turn off the 'IPSEC Policy Agent' or the 'IPSEC Services' on the system you are running PortQry from and run the command again

example: net stop PolicyAgent

run Portqry to query ISAKMP

net start PolicyAgent

</li></ul>

back to the top

Additional features
PortQry version 2.0 includes the following new features:
 * PortQry interactive mode
 * PortQry local mode

PortQry interactive mode
With PortQry version 1.22, users can query ports from the command line in a command prompt window. When you troubleshoot connectivity issues between computers, you may have to type many repetitive commands. With PortQry version 2.0, you can run commands this way, but PortQry version 2.0 also has an interactive mode. The interactive mode is similar to the interactive functionality in the Nslookup DNS utility or in the Nblookup WINS utility.

To start PortQry in interactive mode, use the –i option. For example, type portqry -i. When you do so, you receive the following output: <pre class="fixed_text">Portqry Interactive Mode

Type 'help' for a list of commands

Default Node: 127.0.0.1

Current option values: end port=   80 protocol=   TCP source port= 0 (ephemeral) > You can use other parameters together with the -i parameter to change the settings that PortQry uses. For example, you type a command that is similar to the following command, and then press ENTER:

portqry -i -e 53 -n  -p both –sp 2030

You receive the following output: <pre class="fixed_text">Portqry Interactive Mode

Type 'help' for a list of commands

Default Node: 192.168.1.20

Current option values: end port=   53 protocol=   BOTH source port= 2300 back to the top

PortQry local mode
The PortQry local mode of operation is designed to give you detailed information about the TCP ports and the UDP ports on the local computer where PortQry runs. PortQry has the following three basic commands available in local mode: <ul> <li> portqry.exe -local When you run this command, PortQry tries to enumerate all the TCP and UDP port mappings that are currently active on the local computer. This output is similar to the output that the netstat.exe -an command generates.

Sample output <pre class="fixed_text">TCP/UDP Port Usage

96 active ports found

Port       Local IP    State        Remote IP:Port TCP 80     0.0.0.0     LISTENING    0.0.0.0:18510 TCP 80     169.254.149.9   TIME WAIT    169.254.74.55:3716 TCP 80     169.254.149.9   TIME WAIT    169.254.200.222:3885 TCP 135    0.0.0.0     LISTENING    0.0.0.0:10280 UDP 135    0.0.0.0              *:* UDP 137    169.254.149.9            *:* UDP 138    169.254.149.9            *:* TCP 139    169.254.149.9   LISTENING    0.0.0.0:43065 TCP 139    169.254.149.9   ESTABLISHED  169.254.4.253:4310 TCP 139    169.254.149.9   ESTABLISHED  169.254.74.55:3714 UDP 161    0.0.0.0              *:* TCP 445    0.0.0.0     LISTENING    0.0.0.0:34836 TCP 445    169.254.149.9   ESTABLISHED  169.254.53.54:4443 TCP 445    169.254.149.9   ESTABLISHED  169.254.112.122:2111 TCP 445    169.254.149.9   ESTABLISHED  169.254.112.199:1188 TCP 445    169.254.149.9   ESTABLISHED  169.254.113.96:1221 TCP 445    169.254.149.9   ESTABLISHED  169.254.200.222:3762 UDP 445    0.0.0.0              *:* UDP 500    169.254.149.9            *:* TCP 593    0.0.0.0     LISTENING    0.0.0.0:59532 UDP 1029   0.0.0.0              *:* TCP 1040   127.0.0.1   LISTENING    0.0.0.0:18638 UDP 1045   0.0.0.0              *:* TCP 1048   127.0.0.1   LISTENING    0.0.0.0:2240 TCP 1053   127.0.0.1   LISTENING    0.0.0.0:26649 TCP 1061   127.0.0.1   LISTENING    0.0.0.0:26874 TCP 1067   127.0.0.1   LISTENING    0.0.0.0:2288 TCP 1068   0.0.0.0     LISTENING    0.0.0.0:2048 TCP 1088   127.0.0.1   LISTENING    0.0.0.0:35004 UDP 1089   0.0.0.0              *:* TCP 1091   127.0.0.1   LISTENING    0.0.0.0:43085 TCP 1092   0.0.0.0     LISTENING    0.0.0.0:2096 TCP 1094   127.0.0.1   LISTENING    0.0.0.0:51268 TCP 1097   127.0.0.1   LISTENING    0.0.0.0:2104 TCP 1098   0.0.0.0     LISTENING    0.0.0.0:43053 TCP 1108   0.0.0.0     LISTENING    0.0.0.0:2160 TCP 1108   169.254.149.9   ESTABLISHED  169.254.12.210:1811 TCP 1117   127.0.0.1   LISTENING    0.0.0.0:26819 TCP 1118   0.0.0.0     LISTENING    0.0.0.0:43121 TCP 1119   0.0.0.0     LISTENING    0.0.0.0:26795 TCP 1121   0.0.0.0     LISTENING    0.0.0.0:26646 UDP 1122   0.0.0.0              *:* TCP 1123   0.0.0.0     LISTENING    0.0.0.0:35013 UDP 1126   0.0.0.0              *:* TCP 1137   127.0.0.1   LISTENING    0.0.0.0:34820 TCP 1138   0.0.0.0     LISTENING    0.0.0.0:26696 TCP 1138   169.254.149.9   CLOSE WAIT   169.254.5.103:80 TCP 1170   127.0.0.1   LISTENING    0.0.0.0:34934 TCP 1179   127.0.0.1   LISTENING    0.0.0.0:59463 TCP 1228   127.0.0.1   LISTENING    0.0.0.0:2128 UDP 1352   0.0.0.0              *:* TCP 1433   0.0.0.0     LISTENING    0.0.0.0:2064 UDP 1434   0.0.0.0              *:* TCP 1670   0.0.0.0     LISTENING    0.0.0.0:2288 TCP 1670   169.254.149.9   ESTABLISHED  169.254.233.87:445 TCP 1686   127.0.0.1   LISTENING    0.0.0.0:51309 UDP 1687   127.0.0.1            *:* TCP 1688   0.0.0.0     LISTENING    0.0.0.0:2135 TCP 1688   169.254.149.9   CLOSE WAIT   169.254.113.87:80 TCP 1689   0.0.0.0     LISTENING    0.0.0.0:51368 TCP 1689   169.254.149.9   CLOSE WAIT   169.254.113.87:80 TCP 1693   169.254.149.9   TIME WAIT    169.254.121.106:445 UDP 1698   0.0.0.0              *:* TCP 1728   127.0.0.1   LISTENING    0.0.0.0:2077 TCP 1766   127.0.0.1   LISTENING    0.0.0.0:35061 TCP 2605   127.0.0.1   LISTENING    0.0.0.0:2069 TCP 3302   127.0.0.1   LISTENING    0.0.0.0:2048 TCP 3372   0.0.0.0     LISTENING    0.0.0.0:18612 TCP 3389   0.0.0.0     LISTENING    0.0.0.0:18542 TCP 3389   169.254.149.9   ESTABLISHED  169.254.112.67:2796 TCP 3389   169.254.149.9   ESTABLISHED  169.254.113.96:4603 TCP 3389   169.254.149.9   ESTABLISHED  169.254.201.100:3917 UDP 3456   0.0.0.0              *:* TCP 3970   0.0.0.0     LISTENING    0.0.0.0:35012 TCP 3970   169.254.149.9   CLOSE WAIT   169.254.5.138:80 TCP 3972   0.0.0.0     LISTENING    0.0.0.0:51245 TCP 3972   169.254.149.9   CLOSE WAIT   169.254.5.138:80 TCP 4166   127.0.0.1   LISTENING    0.0.0.0:2208 UDP 4447   0.0.0.0              *:* TCP 4488   127.0.0.1   LISTENING    0.0.0.0:10358 UDP 4500   169.254.149.9            *:* TCP 4541   127.0.0.1   LISTENING    0.0.0.0:10442 TCP 4562   0.0.0.0     LISTENING    0.0.0.0:2192 TCP 4562   169.254.149.9   ESTABLISHED  169.254.0.40:1025 UDP 4563   0.0.0.0              *:* UDP 4564   0.0.0.0              *:* TCP 4566   0.0.0.0     LISTENING    0.0.0.0:51257 TCP 4566   169.254.149.9   ESTABLISHED  169.254.12.18:1492 TCP 4568   127.0.0.1   LISTENING    0.0.0.0:26665 TCP 4569   0.0.0.0     LISTENING    0.0.0.0:43186 TCP 4569   169.254.149.9   CLOSE WAIT   169.254.4.38:80 TCP 4756   0.0.0.0     LISTENING    0.0.0.0:51268 UDP 4758   0.0.0.0              *:* TCP 8953   0.0.0.0     LISTENING    0.0.0.0:26667 TCP 42510  0.0.0.0     LISTENING    0.0.0.0:51323 UDP 43508  169.254.149.9            *:*

Port Statistics

TCP mappings: 74 UDP mappings: 22

TCP ports in a LISTENING state:    51 = 68.92% TCP ports in a ESTABLISHED state:  14 = 18.92% TCP ports in a CLOSE WAIT state:   6 = 8.11% TCP ports in a TIME WAIT state:    3 = 4.05% On computers that support Process ID (PID) to port mappings, the output includes the process ID of the process that is using the port on the local computer. If the verbose option is used (-v), the output also includes the names of the services that the process ID belongs to and lists all the modules that the process has loaded. Access to some information is restricted. For example, access to module information for the Idle and CSRSS processes is prohibited because their access restrictions prevent user-level code from opening them. PortQry reports as much information as it can access for each process. For best results, run the Portqry -local command in the context of the local Administrator or an account that has similar credentials. The following example log file excerpt illustrates the level of reporting that you may receive when you run the Portqry -local command: <pre class="fixed_text">TCP/UDP Port to Process Mappings

55 mappings found

PID:Process    Port        Local IP    State        Remote IP:Port 0:System Idle      TCP 4442    169.254.113.96  TIME WAIT    169.254.5.136:80 0:System Idle      TCP 4456    169.254.113.96  TIME WAIT    169.254.5.44:445 4:System       TCP 445     0.0.0.0     LISTENING    0.0.0.0:2160 4:System       TCP 139     169.254.113.96  LISTENING    0.0.0.0:24793 4:System       TCP 1475    169.254.113.96  ESTABLISHED  169.254.8.176:445 4:System       UDP 445     0.0.0.0              *:* 4:System       UDP 137     169.254.113.96           *:* 4:System       UDP 138     169.254.113.96           *:* 424:winlogon.exe   TCP 1200    169.254.113.96  CLOSE WAIT   169.254.5.44:389 424:winlogon.exe   UDP 1100    0.0.0.0              *:* 484:lsass.exe      TCP 1064    0.0.0.0     LISTENING    0.0.0.0:2064 484:lsass.exe      UDP 500     0.0.0.0              *:* 484:lsass.exe      UDP 1031    0.0.0.0              *:* 484:lsass.exe      UDP 4500    0.0.0.0              *:* 668:svchost.exe    TCP 135     0.0.0.0     LISTENING    0.0.0.0:16532 728:svchost.exe    TCP 3389    0.0.0.0     LISTENING    0.0.0.0:45088 800        UDP 1026    0.0.0.0              *:* 800        UDP 1027    0.0.0.0              *:* 836:svchost.exe    TCP 1025    0.0.0.0     LISTENING    0.0.0.0:43214 836:svchost.exe    TCP 1559    169.254.113.96  CLOSE WAIT   169.254.5.44:389 836:svchost.exe    UDP 1558    0.0.0.0              *:* 836:svchost.exe    UDP 123     127.0.0.1            *:* 836:svchost.exe    UDP 3373    127.0.0.1            *:* 836:svchost.exe    UDP 123     169.254.113.96           *:* 1136:mstsc.exe     TCP 2347    169.254.113.96  ESTABLISHED  172.30.137.221:3389 1136:mstsc.exe     UDP 2348    0.0.0.0              *:* 1276:dns.exe       TCP 53      0.0.0.0     LISTENING    0.0.0.0:2160 1276:dns.exe       TCP 1087    0.0.0.0     LISTENING    0.0.0.0:37074 1276:dns.exe       UDP 1086    0.0.0.0              *:* 1276:dns.exe       UDP 2126    0.0.0.0              *:* 1276:dns.exe       UDP 53      127.0.0.1            *:* 1276:dns.exe       UDP 1085    127.0.0.1            *:* 1276:dns.exe       UDP 53      169.254.113.96           *:* 1328:InoRpc.exe    TCP 42510   0.0.0.0     LISTENING    0.0.0.0:220 1328:InoRpc.exe    UDP 43508   169.254.113.96           *:* 1552:CcmExec.exe   UDP 1114    0.0.0.0              *:* 1896:WINWORD.EXE   TCP 3807    169.254.113.96  CLOSE WAIT   169.254.237.37:3268 1896:WINWORD.EXE   UDP 3806    0.0.0.0              *:* 1896:WINWORD.EXE   UDP 1510    127.0.0.1            *:* 2148:IEXPLORE.EXE  TCP 4446    169.254.113.96  ESTABLISHED  169.254.113.92:80 2148:IEXPLORE.EXE  UDP 4138    127.0.0.1            *:* 3200:program.exe   TCP 1906    169.254.113.96  ESTABLISHED  169.254.0.40:1025 3200:program.exe   TCP 4398    169.254.113.96  ESTABLISHED  169.254.209.96:1433 3200:program.exe   TCP 4438    169.254.113.96  ESTABLISHED  169.254.209.96:1433 3592:OUTLOOK.EXE   TCP 1256    169.254.113.96  ESTABLISHED  169.254.1.105:1025 3592:OUTLOOK.EXE   TCP 2214    169.254.113.96  CLOSE WAIT   169.254.237.37:3268 3592:OUTLOOK.EXE   TCP 2971    169.254.113.96  ESTABLISHED  169.254.5.216:1434 3592:OUTLOOK.EXE   TCP 4439    169.254.113.96  ESTABLISHED  169.254.47.242:1788 3592:OUTLOOK.EXE   UDP 1307    0.0.0.0              *:* 3592:OUTLOOK.EXE   UDP 1553    0.0.0.0              *:* 3660:IEXPLORE.EXE  TCP 4452    169.254.113.96  ESTABLISHED  169.254.9.74:80 3660:IEXPLORE.EXE  TCP 4453    169.254.113.96  ESTABLISHED  169.254.9.74:80 3660:IEXPLORE.EXE  TCP 4454    169.254.113.96  ESTABLISHED  169.254.230.88:80 3660:IEXPLORE.EXE  UDP 4451    127.0.0.1            *:* 4048:program2.exe      UDP 3689    127.0.0.1            *:*

Port Statistics

TCP mappings: 27 UDP mappings: 28

TCP ports in a LISTENING state:    9 = 33.33% TCP ports in a ESTABLISHED state:  12 = 44.44% TCP ports in a CLOSE WAIT state:   4 = 14.81% TCP ports in a TIME WAIT state:    2 = 7.41%

Port and Module Information by Process

Note: restrictions applied to some processes may prevent Portqry from accessing more information

For best results run Portqry in the context of     the local administrator

=
========================================= Process ID: 0 (System Idle Process)

PID Port       Local IP    State        Remote IP:Port 0  TCP 4442    169.254.113.96  TIME WAIT    169.254.5.136:80 0  TCP 4456    169.254.113.96  TIME WAIT    169.254.5.44:445

Port Statistics

TCP mappings: 2 UDP mappings: 0

TCP ports in a TIME WAIT state:    2 = 100.00%

Could not access module information for this process

=
=========================================

Process ID: 4 (System Process)

PID Port       Local IP    State        Remote IP:Port 4  TCP 445     0.0.0.0     LISTENING    0.0.0.0:2160 4  TCP 139     169.254.113.96  LISTENING    0.0.0.0:24793 4  TCP 1475    169.254.113.96  ESTABLISHED  169.254.8.176:445 4  UDP 445     0.0.0.0              *:* 4  UDP 137     169.254.113.96           *:* 4  UDP 138     169.254.113.96           *:*

Port Statistics

TCP mappings: 3 UDP mappings: 3

TCP ports in a LISTENING state:    2 = 66.67% TCP ports in a ESTABLISHED state:  1 = 33.33%

Could not access module information for this process

=
=========================================

Process ID: 352 (smss.exe)

Process doesn't appear to be a service

Port Statistics

TCP mappings: 0 UDP mappings: 0

Loaded modules: \SystemRoot\System32\smss.exe (0x48580000)

C:\WINDOWS\system32\ntdll.dll (0x77F40000)

=
=========================================

Process ID: 484 (lsass.exe)

Service Name: Netlogon Display Name: Net Logon Service Type: shares a process with other services

Service Name: PolicyAgent Display Name: IPSEC Services Service Type: shares a process with other services

Service Name: ProtectedStorage Display Name: Protected Storage

Service Name: SamSs Display Name: Security Accounts Manager Service Type: shares a process with other services

PID Port       Local IP    State        Remote IP:Port 484 TCP 1064   0.0.0.0     LISTENING    0.0.0.0:2064 484 UDP 500    0.0.0.0              *:* 484 UDP 1031   0.0.0.0              *:* 484 UDP 4500   0.0.0.0              *:*

Port Statistics

TCP mappings: 1 UDP mappings: 3

TCP ports in a LISTENING state:    1 = 100.00%

Loaded modules: C:\WINDOWS\system32\lsass.exe (0x01000000)

C:\WINDOWS\system32\ntdll.dll (0x77F40000) C:\WINDOWS\system32\kernel32.dll (0x77E40000) C:\WINDOWS\system32\ADVAPI32.dll (0x77DA0000) C:\WINDOWS\system32\RPCRT4.dll (0x77C50000) C:\WINDOWS\system32\LSASRV.dll (0x742C0000) C:\WINDOWS\system32\msvcrt.dll (0x77BA0000) C:\WINDOWS\system32\Secur32.dll (0x76F50000) C:\WINDOWS\system32\USER32.dll (0x77D00000) C:\WINDOWS\system32\GDI32.dll (0x77C00000) C:\WINDOWS\system32\SAMSRV.dll (0x741D0000) C:\WINDOWS\system32\cryptdll.dll (0x766E0000) C:\WINDOWS\system32\DNSAPI.dll (0x76ED0000) C:\WINDOWS\system32\WS2_32.dll (0x71C00000) C:\WINDOWS\system32\WS2HELP.dll (0x71BF0000) C:\WINDOWS\system32\MSASN1.dll (0x76190000) C:\WINDOWS\system32\NETAPI32.dll (0x71C40000) C:\WINDOWS\system32\SAMLIB.dll (0x5CCF0000) C:\WINDOWS\system32\MPR.dll (0x71BD0000) C:\WINDOWS\system32\NTDSAPI.dll (0x766F0000) C:\WINDOWS\system32\WLDAP32.dll (0x76F10000) C:\WINDOWS\system32\IMM32.DLL (0x76290000) C:\WINDOWS\system32\LPK.DLL (0x62D80000)

=
=========================================

Process ID: 668 (svchost.exe)

Service Name: RpcSs Display Name: Remote Procedure Call (RPC) Service Type: shares a process with other services

PID Port       Local IP    State        Remote IP:Port 668 TCP 135    0.0.0.0     LISTENING    0.0.0.0:16532

Port Statistics

TCP mappings: 1 UDP mappings: 0

TCP ports in a LISTENING state:    1 = 100.00%

Loaded modules: C:\WINDOWS\system32\svchost.exe (0x01000000)

C:\WINDOWS\system32\ntdll.dll (0x77F40000) C:\WINDOWS\system32\kernel32.dll (0x77E40000) C:\WINDOWS\system32\ADVAPI32.dll (0x77DA0000) C:\WINDOWS\system32\RPCRT4.dll (0x77C50000) c:\windows\system32\rpcss.dll (0x75700000) C:\WINDOWS\system32\msvcrt.dll (0x77BA0000) c:\windows\system32\WS2_32.dll (0x71C00000) c:\windows\system32\WS2HELP.dll (0x71BF0000) C:\WINDOWS\system32\USER32.dll (0x77D00000) C:\WINDOWS\system32\GDI32.dll (0x77C00000) c:\windows\system32\Secur32.dll (0x76F50000) C:\WINDOWS\system32\IMM32.DLL (0x76290000) C:\WINDOWS\system32\LPK.DLL (0x62D80000) C:\WINDOWS\system32\USP10.dll (0x73010000) C:\WINDOWS\system32\mswsock.dll (0x71B20000) C:\Program Files\Microsoft Firewall Client\wspwsp.dll (0x55600000) C:\WINDOWS\system32\iphlpapi.dll (0x76CF0000) C:\WINDOWS\System32\wshqos.dll (0x57B60000) C:\WINDOWS\system32\wshtcpip.dll (0x71AE0000) C:\WINDOWS\system32\CLBCatQ.DLL (0x76F90000) C:\WINDOWS\system32\OLEAUT32.dll (0x770E0000) C:\WINDOWS\system32\ole32.dll (0x77160000) C:\WINDOWS\system32\COMRes.dll (0x77010000) C:\WINDOWS\system32\VERSION.dll (0x77B90000) C:\WINDOWS\system32\msi.dll (0x76300000) C:\WINDOWS\system32\WTSAPI32.dll (0x76F00000) C:\WINDOWS\system32\WINSTA.dll (0x76260000) C:\WINDOWS\system32\NETAPI32.dll (0x71C40000) C:\WINDOWS\system32\USERENV.dll (0x75970000)

=
=========================================

=
end of log file ========= You can use this information to determine which ports are associated with a particular program or service that is running on the computer. In some cases, Portqry may report that the System Idle process (PID 0) is using some TCP ports. This behavior may occur if a local program connects to a TCP port, and then stops. The program’s TCP connection to the port may be left in a &quot;Timed Wait&quot; state even though the program is no longer running. In this case, Portqry may detect that the port is in use. However, Portqry cannot identify the program that is using the port because the program has stopped. The PID was released. The port may be in a &quot;Timed Wait&quot; state for several minutes even though the process that was using the port has stopped. By default, the port remains in a &quot;Timed Wait&quot; state for twice as long as the maximum segment lifetime. </li> <li>portqry.exe -wport  (watch port): With the watch port command, PortQry can watch the specified port for changes. These changes may include an increase or decrease in the number of connections to the port or a change in the connection state of any one of the existing connections. For example, you type the following command, and then press ENTER:

portqry -wport 53

As a result, PortQry watches TCP and UDP port 53. PortQry reports when any new TCP connections are made to this port. PortQry also reports one or more of the following state changes for the specified TCP port:

CLOSE_WAIT

CLOSED

ESTABLISHED

FIN_WAIT_1

LAST_ACK

LISTEN

SYN_RECEIVED

SYN_SEND

TIMED_WAIT

For example, if a connection's state changes from ESTABLISHED to CLOSE_WAIT, a change in state has occurred. When the port's state changes, PortQry displays the port's connection table. Portqry reports if a program is bound to the UDP port, but it does not report if the UDP port receives datagrams.

Optional parameters <ul> <li>-v (verbose): For additional state information, include the -v parameter in the PortQry command-line. When you use this parameter, PortQry also displays the modules that are using the ports. For example, type portqry.exe -wport 135 -v .</li> <li>-wt (watch time): By default, PortQry checks for changes in the specified port's connection table one time every 60 seconds. To configure this interval, use the -wt parameter. For example, you type the following command, and then press ENTER:

portqry.exe -wport 135 -v -wt 2

As a result, PortQry checks TCP port 135 and UDP port 135 for changes every 2 seconds. You can specify a time interval from 1 to 1200 (inclusive). With this parameter, you can to watch for changes from every 1 second up to one time every 20 minutes.</li> <li> -l (log file): To log the output from the watch port command, use the -l parameter. For example, you type the following command, and then press ENTER:

portqry.exe -wport 2203 -v -wt 30 -l test.txt

As a result, a log file that is similar to the following log file is generated: <pre class="fixed_text">Portqry Version 2.0 Log File

System Date: Sat Oct 04 08:54:06 2003

Command run: portqry -wport 135 -v -l test.txt

Local computer name:

host123

Watching port: 135

Checking for changes every 60 seconds

verbose output requested

=
System Date: Sat Oct 04 08:54:07 2003

=
=========================================

Process ID: 952 (svchost.exe)

Service Name: RpcSs Display Name: Remote Procedure Call (RPC) Service Type: shares a process with other services

PID Port       Local IP    State        Remote IP:Port 952 TCP 135    0.0.0.0     LISTENING    0.0.0.0:45198 952 UDP 135    0.0.0.0              *:*

Port Statistics

TCP mappings: 1 UDP mappings: 1

TCP ports in a LISTENING state:    1 = 100.00%

Loaded modules: D:\WINDOWS\system32\svchost.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) d:\windows\system32\rpcss.dll (0x75850000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) d:\windows\system32\WS2_32.dll (0x71AB0000) d:\windows\system32\WS2HELP.dll (0x71AA0000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) d:\windows\system32\Secur32.dll (0x76F90000) D:\WINDOWS\system32\userenv.dll (0x75A70000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\system32\DNSAPI.dll (0x76F20000) D:\WINDOWS\system32\iphlpapi.dll (0x76D60000) D:\WINDOWS\System32\winrnr.dll (0x76FB0000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) D:\WINDOWS\system32\rasadhlp.dll (0x76FC0000) D:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\system32\ole32.dll (0x771B0000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\system32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000)

=
System Date: Sat Oct 04 08:56:08 2003

=
=========================================

Process ID: 952 (svchost.exe)

Service Name: RpcSs Display Name: Remote Procedure Call (RPC) Service Type: shares a process with other services

PID Port       Local IP    State        Remote IP:Port 952 TCP 135    0.0.0.0     LISTENING    0.0.0.0:45198 952 UDP 135    0.0.0.0              *:* 952 UDP 135    0.0.0.0              *:*

Port Statistics

TCP mappings: 1 UDP mappings: 2

TCP ports in a LISTENING state:    1 = 100.00%

Loaded modules: D:\WINDOWS\system32\svchost.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) d:\windows\system32\rpcss.dll (0x75850000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) d:\windows\system32\WS2_32.dll (0x71AB0000) d:\windows\system32\WS2HELP.dll (0x71AA0000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) d:\windows\system32\Secur32.dll (0x76F90000) D:\WINDOWS\system32\userenv.dll (0x75A70000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\system32\DNSAPI.dll (0x76F20000) D:\WINDOWS\system32\iphlpapi.dll (0x76D60000) D:\WINDOWS\System32\winrnr.dll (0x76FB0000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) D:\WINDOWS\system32\rasadhlp.dll (0x76FC0000) D:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\system32\ole32.dll (0x771B0000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\system32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000)

=
escape key pressed: stopped watching port 135 System Date: Sat Oct 04 09:09:12 2003

=
end of log file ========= </li></ul> </li> <li>portqry.exe -wpid  (watch PID): With the watch PID command, PortQry watches the specified process ID (PID) for changes. These changes may include an increase or a decrease in the number of connections to the port or a change in the connection state of any one of the existing connections. This command supports the same optional parameters as the watch port command. For example, you type the following command, and then press ENTER:

portqry.exe -wpid 1276 -wt 2 -v -l

As a result, a log file that is similar to the following log file is generated:

<pre class="fixed_text">PortQry Version 2.0 Log File

System Date: Tue Oct 07 14:01:13 2003

Command run: portqry -wpid 1276 -wt 2 -v -l pid.txt

Local computer name:

host123

Watching PID: 1276

Checking for changes every 2 seconds

verbose output requested

Service Name: DNS Display Name: DNS Server Service Type: runs in its own process

=
System Date: Tue Oct 07 14:01:14 2003

=
=========================================

Process ID: 1276 (dns.exe)

Service Name: DNS Display Name: DNS Server Service Type: runs in its own process

PID Port       Local IP    State        Remote IP:Port 1276   TCP 53      0.0.0.0     LISTENING    0.0.0.0:2160 1276   TCP 1087    0.0.0.0     LISTENING    0.0.0.0:37074 1276   UDP 1086    0.0.0.0              *:* 1276   UDP 2126    0.0.0.0              *:* 1276   UDP 53      127.0.0.1            *:* 1276   UDP 1085    127.0.0.1            *:* 1276   UDP 53      169.254.11.96            *:*

Port Statistics

TCP mappings: 2 UDP mappings: 5

TCP ports in a LISTENING state:    2 = 100.00%

Loaded modules: C:\WINDOWS\System32\dns.exe (0x01000000)

C:\WINDOWS\system32\ntdll.dll (0x77F40000) C:\WINDOWS\system32\kernel32.dll (0x77E40000) C:\WINDOWS\system32\msvcrt.dll (0x77BA0000) C:\WINDOWS\system32\ADVAPI32.dll (0x77DA0000) C:\WINDOWS\system32\RPCRT4.dll (0x77C50000) C:\WINDOWS\System32\WS2_32.dll (0x71C00000) C:\WINDOWS\System32\WS2HELP.dll (0x71BF0000) C:\WINDOWS\system32\USER32.dll (0x77D00000) C:\WINDOWS\system32\GDI32.dll (0x77C00000) C:\WINDOWS\System32\NETAPI32.dll (0x71C40000) C:\WINDOWS\system32\WLDAP32.dll (0x76F10000) C:\WINDOWS\System32\DNSAPI.dll (0x76ED0000) C:\WINDOWS\System32\NTDSAPI.dll (0x766F0000) C:\WINDOWS\System32\Secur32.dll (0x76F50000) C:\WINDOWS\system32\SHLWAPI.dll (0x77290000) C:\WINDOWS\System32\iphlpapi.dll (0x76CF0000) C:\WINDOWS\System32\MPRAPI.dll (0x76CD0000) C:\WINDOWS\System32\ACTIVEDS.dll (0x76DF0000) C:\WINDOWS\System32\adsldpc.dll (0x76DC0000) C:\WINDOWS\System32\credui.dll (0x76B80000) C:\WINDOWS\system32\SHELL32.dll (0x77380000) C:\WINDOWS\System32\ATL.DLL (0x76A80000) C:\WINDOWS\system32\ole32.dll (0x77160000) C:\WINDOWS\system32\OLEAUT32.dll (0x770E0000) C:\WINDOWS\System32\rtutils.dll (0x76E30000) C:\WINDOWS\System32\SAMLIB.dll (0x5CCF0000) C:\WINDOWS\System32\SETUPAPI.dll (0x765A0000) C:\WINDOWS\system32\IMM32.DLL (0x76290000) C:\WINDOWS\System32\LPK.DLL (0x62D80000) C:\WINDOWS\System32\USP10.dll (0x73010000) C:\WINDOWS\System32\netman.dll (0x76D80000) C:\WINDOWS\System32\RASAPI32.dll (0x76E90000) C:\WINDOWS\System32\rasman.dll (0x76E40000) C:\WINDOWS\System32\TAPI32.dll (0x76E60000) C:\WINDOWS\System32\WINMM.dll (0x76AA0000) C:\WINDOWS\system32\CRYPT32.dll (0x761B0000) C:\WINDOWS\system32\MSASN1.dll (0x76190000) C:\WINDOWS\System32\WZCSvc.DLL (0x76D30000) C:\WINDOWS\System32\WMI.dll (0x76CC0000) C:\WINDOWS\System32\DHCPCSVC.DLL (0x76D10000) C:\WINDOWS\System32\WTSAPI32.dll (0x76F00000) C:\WINDOWS\System32\WINSTA.dll (0x76260000) C:\WINDOWS\System32\ESENT.dll (0x69750000) C:\WINDOWS\System32\WZCSAPI.DLL (0x730A0000) C:\WINDOWS\system32\mswsock.dll (0x71B20000) C:\WINDOWS\System32\wshtcpip.dll (0x71AE0000) C:\WINDOWS\System32\winrnr.dll (0x76F70000) C:\WINDOWS\System32\rasadhlp.dll (0x76F80000) C:\WINDOWS\system32\kerberos.dll (0x71CA0000) C:\WINDOWS\System32\cryptdll.dll (0x766E0000) C:\WINDOWS\system32\msv1_0.dll (0x76C90000) C:\WINDOWS\System32\security.dll (0x71F60000)

escape key pressed: stopped watching PID 1276 System Date: Tue Oct 07 14:01:16 2003

=
end of log file =========

With the -wport command, you can watch a single port for changes, whereas with the -wpid command, you can watch all the ports that the specified PID is using for changes. A process may be using many ports, and PortQry watches all of them for changes.

Important When you use either the -wport command or the -wpid command together with the logging parameter (-l), you must press the ESC key to stop PortQry for PortQry to correctly close the log file and exit. If you press CTRL+C to stop PortQry instead of ESC, the log file does not close correctly. In this scenario, the log file may be empty or corrupted.</li></ul>

back to the top

<div class="references_section">