While testing our software, a large corporate customer was able to detect the third-party licensing software using port 137.
Up until this point we have only been aware of the license software using port 443.
I have looked into this with netstat, Get-NetTCPConnection, and TCPView but I can only find process activity on port 443.
When I asked the licensing company about this they acknowledged they use 137 to get the UUID for certain license types.
I am inexperienced with networking and hope that you can tell me how to see this behavior for myself.
Best Answer
Nirsoft.net has a tool for this called Smart Sniff. You should have NPCap or WinPcap installed to use it. SmartSniff records each connection your computer makes, and displays one line per connection. In the Remote port column, you should at some point, see a connection to some host on port 137, and which process initiated that connection. There are filtering options as well as other configuration options which may reveal what you are looking for.
By default, it does not capture process information, so you'll need to configure it: