David Muegge’s Blog » Archive » Connection History with PowerShell and NetStat

Connection History with PowerShell and NetStat

March 20th, 2009Uncategorized dmuegge

Welcome!

This is a little trick some might find useful. I was working on decommissioning some servers and I needed a way to find out what was connecting to these machines. I decided to create a script to log connections. I have done this in the past in various ways which usually involved logging a bunch of data and then querying against it to find the unique connections.

This time it finally occurred to me, just filter the data as it is being collected. So I set out to write a PowerShell script that would keep a running list of client TCP connections to a given machine. This information would be stored in a text file.

The first step was to collect the information and put it into a PowerShell object.

# Create array to hold netstat data
$allnetstatdata = @()
 
# Get TCP connections from netstat
$netstatResults = & netstat -p TCP 
foreach($line in $netstatResults){
 
	# Create object data and add to object
	$netstatdata = "" | Select local,port,foreign
	if(-not (($line.Trim() -eq [String]::Empty) -or ($line.contains("Active Connections")) -or ($line.contains("Local Address")))){
		if ($line -match '\s*(TCP)\s{1,}(\D\S{1,})\s{1,}(\D\S{1,})\s{1,}(\D\S{1,}$)'){
			$localhost = $matches[2].Split(":")
			$netstatdata.local = $dchost[0]
			$netstatdata.port = $dchost[1]
			$foreignhost = $matches[3].Split(":")
			$netstatdata.foreign = $foreignhost[0]
			$allnetstatdata = $allnetstatdata + $netstatdata
		}
	}			
}

Then the next step was to read the file with the previous information and add it to the PowerShell object.

# Define Log File
$logfile = C:\TCPConnections.txt
 
# Get data from file and add to object
$filedata = Get-Content $logfile
if($filedata){
	foreach($line in $filedata){
		$netstatdata = "" | Select local,port,foreign
		$entry = $line.Split("`t")
		$netstatdata.port = $entry[0]
		$netstatdata.local = $entry[1]
		$netstatdata.foreign = $entry[2]
		$allnetstatdata = $allnetstatdata + $netstatdata
	}
}

We can now remove the duplicates from the combined information and save the updated file.

# Get unique rows
$newnetstatdata = $allnetstatdata | Select-Object * -unique 
 
# Add combined data to string
$tempcontent = New-Object System.Text.StringBuilder
foreach($netstat in $newnetstatdata){
	if($netstat.port){$tempcontent.Append($netstat.port.ToString()) | Out-Null}
	$tempcontent.Append("`t") | Out-Null 
	if($netstat.local){$tempcontent.Append($netstat.local.ToString()) | Out-Null}
	$tempcontent.Append("`t") | Out-Null 
	if($netstat.foreign){$tempcontent.Append($netstat.foreign.ToString()) | Out-Null}
	$tempcontent.Append("`n") | Out-Null 
}
 
# Write to file
Set-Content -path $logfile $tempcontent.ToString()

We can run this script in a scheduled task at whatever interval is required. Now we have a log of unique inbound TCP connections.

Best Regards,

Dave

3 Comments

Comments RSS TrackBack Identifier URI

Try the .NET way, it workd much faster than netstat and there is no need to parse text, it doesn’t do name/port resolution though:

[System.Net.NetworkInformation.IpGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections()

Comment by Shay Levy on March 20, 2009 10:30 am

Shay,

Thanks for the tip, I tend to forget about the framework on such common tasks.

Comment by Dave Muegge on March 20, 2009 2:11 pm

Great script - saved me a load of time coding. One small change - I had to explicitly declare all the arrays as I was getting a cannot index into a null array error

# Create array to hold netstat data
$allnetstatdata = @()
$dchost = @()
$matches = @()
$foreignhost =@()

I now need to add to your script a lookup of the client machines and their owners in both active directory and the CMDB database.. Might take a little while but I think it should be quicker than doing it manually for 800 servers

Comment by Goldstien on May 28, 2009 4:30 am

Leave a comment

Connection History with PowerShell and NetStat

Archives

Blogroll

Links

Meta