Skip to main content

TCPVCon

  • Updated

The TCPVCon feature allows the user to collect process-to-port mapping data used for dependency mapping on Windows 2000, XP & 2003 endpoints. These legacy systems lack modern commands/options (i.e. netstat -o) required to support this dependency mapping generation. This Enabling option can be configured on a Scan-job so that

  • either an alternative command is located on the target and run
  • or a new command executable file is deployed to the target and run

Currently applicable to O/S: Only Windows targets.

 

Usage

Navigate to the Scan Job you wish to enable Scanning on.1.jpeg

Open the contextual menu via the ellipsis button and select “Configure Job“.2.png

Select the tab “Scan Details“.3.png

From the Enablings drop-down options select “TCPVCON“.4.png

Press the “Update” button to persist the new Scan Job configuration.

Run the updated Scan Job as normal to collect process to port mapping for legacy windows Targets in the generated scope.

 

Output

A successful scan of legacy Targets should now present appropriate dependency maps.

 

How It Works

To discover TCP/UDP connections and get the process mapping, a recent version of the netstat command supporting the "-o" argument has to be present on the Windows computer system. On Windows 2000 and the early versions of Windows 2003/XP, netstatdoes not support the "-o" argument.

The following alternative approach can be configured within the CAM appliance server to facilitate these situations. 

  • CAM will always check if thenetstatcommand available supports the "-o" argument. 
  • Alternatively, CAM will check for the availability of thetcpvconcommand version 2.34 
  • Where this is not available (or if the version is higher than 2.34) and the TCPVCON option has been enabled on the scan job, the following additional strategies will be used to gather the information:
    • check for the existence of thetcpvcon 2.34in the windowstempdirectory
    • copy thetcpvcon 2.34to the Windows temp directory, if not already available
    • execute the command from this temp directory and gather the process output.

TCPVCON command

TCPVCon is the command-line version of TCPView. tcpvconcommand is an alternative command tonetstatand is used to get the TCP/UDP connections and the process mapping. It was developed by Sysinternals and was acquired by Microsoft in July 2006. Like netstat, TCPVCon simply displays connected TCP endpoints when you run it without specifying any command-line arguments, or it displays all endpoints when you include the -a option.

Sysinternals - Sysinternals

TCPView for Windows - Sysinternals

Related articles