Comparing Open Network Sockets

1024 786 WindowsSCOPE

As an example, the FTP client FileZilla was used to create a local FTP server. Then, a computer on the same network attempted to connect to the server. A snapshot was taken on the host computer once the server was up and running, but before any connections were made to the server. Another snapshot was taken after the remote computer on the network attempted to connect to it. Lastly, a snapshot was taken on the remote computer to show the outgoing connection to the server.



Using the Compare tool on the snapshot from the host computer before and after the remote computer attempted to connect to the server, it’s easy to see the sockets (highlighted in red) that were created by FileZilla. The host computer has the source IP and was communicating through port 21 which is used for FTP traffic. The destination IP was to, the remote computer, and was through port 49666 which is a random, unassigned port.



Comparing this to the snapshot taken on the remote computer, everything seems to matchup. It looks like FileZilla only opened one socket for its use, which is consistent with the one server it is connected to. While FileZilla is a program known to be safe, a similar comparison could be made on less reputable software using WindowsSCOPE.