Can you ever have enough tools to assist with troubleshooting and forensic analysis? Probably not, and that's a good reason to add the new tool, Port Reporter, into your toolkit. Port Reporter is a free tool offering from Microsoft that logs TCP and UDP port activity to a text file.
Port Reporter can track activity in a fair amount of detail, cross referencing port activity to the actual application using the port along with its process ID (PID).
Port Reporter creates three log files: an initialization log, a ports log, and a PID log. The initialization log provides a list of ports, processes, and loaded service modules that are active at the time Port Reporter starts.
The ports log is updated as port activity occurs on a system. The log typically includes a date stamp, protocol type (TCP or UDP), a source port and source IP address, a destination port and address, the application that initiated the port activity, and user account (security context) the application is operating under.
The PID log shows more detail about a given application conducting network activity. Records include the process ID number, application file name, security context, a summary of ports used along with their state, and a list of all DLLs loaded by the application.
Port Reporter runs as a service on Windows Server 2003, Windows XP, and Windows 2000 systems. You can learn more about the tool and view sample log files in Microsoft's article, 837243, on the company's support Web site where you'll also find a link to download the new tool.