[Vol-users] netscan plugin question

Lou LaRocca louislarocca at gmail.com
Thu May 16 11:57:43 CDT 2013


Greetings

I am looking at Win 7 x86 SP1 memory and I dont understand why I am seeing
"established connections" but no PID or Process with it.

0x2d07480  TCPv4    10.22.41.40:58767
38.126.225.229:43405ESTABLISHED      -------- --------------
0x1367da70 TCPv4    10.22.41.40:59302
151.213.50.211:22031ESTABLISHED      -------- --------------


In addition I am seeing stuff "listening" and it contains the PID and
Process.

0xdb838178 TCPv4    0.0.0.0:49154                  0.0.0.0:0
LISTENING        996      svchost.exe
0xdb850ab0 TCPv4    0.0.0.0:49155                  0.0.0.0:0
LISTENING        1440     spoolsv.exe
0xdb855e78 TCPv4    0.0.0.0:49155                  0.0.0.0:0
LISTENING        1440     spoolsv.exe

So my question is why can I see the listening processes but im not getting
the Process that are established?

Thanks for the help

Lou
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130516/8551c9fc/attachment.html


More information about the Vol-users mailing list