In the previous tip we introduced the Get-NetTCPConnection cmdlet as a better alternative to the netstat.exe network utility on Windows systems. It can list open ports and connections, and we left off with an example that lists all connections to HTTPS (port 443):
PS> Get-NetTCPConnection -RemotePort 443 -State Established LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess ------------ --------- ------------- ---------- ----- -------------- ------------- 192.168.2.105 58640 52.114.74.221 443 Established Internet 14204 192.168.2.105 56201 52.114.75.149 443 Established Internet 9432 192.168.2.105 56200 52.114.142.145 443 Established Internet 13736 192.168.2.105 56199 13.107.42.12 443 Established Internet 12752 192.168.2.105 56198 13.107.42.12 443 Established Internet 9432 192.168.2.105 56192 40.101.81.162 443 Established Internet 9432 192.168.2.105 56188 168.62.58.130 443 Established Internet 10276 192.168.2.105 56181 168.62.58.130 443 Established Internet 10276 192.168.2.105 56103 13.107.6.171 443 Established Internet 9432 192.168.2.105 56095 13.107.42.12 443 Established Internet 9432 192.168.2.105 56094 13.107.43.12 443 Established Internet 9432 192.168.2.105 55959 140.82.112.26 443 Established Internet 21588 192.168.2.105 55568 52.113.206.137 443 Established Internet 13736 192.168.2.105 55555 51.103.5.186 443 Established Internet 12752 192.168.2.105 49638 51.103.5.186 443 Established Internet 5464
This list is not very useful per se because it does not resolve IP addresses and won’t tell you which programs maintain the connections. With a little bit of PowerShell magic, though, you can resolve these items:
$Process = @{ Name='Process' Expression={ # return process path (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Path } } $HostName = @{ Name='Host' Expression={ $remoteHost = $_.RemoteAddress try { # try to resolve IP address [Net.Dns]::GetHostEntry($remoteHost).HostName } catch { # if that fails, return IP anyway $remoteHost } } } # get all connections to port 443 (HTTPS) Get-NetTCPConnection -RemotePort 443 -State Established | # where there is a remote address Where-Object RemoteAddress | # and resolve IP and process ID Select-Object -Property $HostName, OwningProcess, $Process
Select-Object selects the objects you want to display. It supports “calculated properties”. $Process defines a calculated property named “Process”: it takes the original OwningProcess property and runs the process ID in it through Get-Process to get the path to the application.
The same occurs in $HostName: here, the .NET GetHostEntry() method is used to resolve the IP and return the resolved hostname. The result now looks like this:
Host OwningProcess Process ---- ------------- ------- 13.107.6.171 9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE 1drv.ms 9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE lb-140-82-113-26-iad.github.com 21588 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 1drv.ms 9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE 52.113.206.137 13736 C:\Users\tobia\AppData\Local\Microsoft\Teams\current\Teams.exe 51.103.5.186 12752 C:\Users\tobia\AppData\Local\Microsoft\OneDrive\OneDrive.exe
The cost for this can be tremendous though because resolving IP addresses can take a long time, especially when the query times out. In our next part we’ll take a look at parallel processing to speed things up.