TCPHound is a Win32 utility designed to audit and log TCP connections with detailed connection duration tracking and IP ownership resolution.
Win32 utility for auditing TCP connections
TCPHound is used by network security professionals and threat hunters to monitor and audit TCP connections on Windows systems, enabling them to identify suspicious network activity by analyzing connection durations and mapping connections to processes. It is particularly useful for retrospective analysis through its logging capabilities, complementing tools like Wireshark by narrowing down suspicious IPs for deeper packet inspection.
TCPHound is distributed as-is without warranty and should be used at your own risk. It complements packet capture tools like Wireshark by focusing on connection metadata and process mapping rather than raw packet data. Users should be aware that the AS resolution API is self-hosted and may generate its own network traffic, which can appear in logs. Manual triggering of IP resolution helps avoid accidental disclosure of internal IP addresses.
Download the executable TCPHound v1.5 from https://limbenjamin.com/files/TCPHound/TCPHound_v1.5.exe
Run the downloaded executable on a Windows system (Win32 compatible)
No additional installation steps or dependencies are specifiedStart TCPHound executable
Launches the utility to begin auditing TCP connections and logging data
Right-click on a connection entry and select 'Resolve IP'
Manually triggers the AS info query to resolve the organization owning the IP address
Use clear display and clear closed connection buttons
Clears the current view or removes closed connections from the display