In the previous tip we introduced the Get-NetTCPConnection cmdlet as a better alternative to the netstat.exe network utility on Windows systems. It can list open ports and connections, and we left off with an example that lists all connections to HTTPS (port 443):

 
PS> Get-NetTCPConnection -RemotePort 443 -State Established 

LocalAddress  LocalPort RemoteAddress  RemotePort State       AppliedSetting OwningProcess
------------  --------- -------------  ---------- -----       -------------- -------------
192.168.2.105 58640     52.114.74.221  443        Established Internet       14204        
192.168.2.105 56201     52.114.75.149  443        Established Internet       9432         
192.168.2.105 56200     52.114.142.145 443        Established Internet       13736        
192.168.2.105 56199     13.107.42.12   443        Established Internet       12752        
192.168.2.105 56198     13.107.42.12   443        Established Internet       9432         
192.168.2.105 56192     40.101.81.162  443        Established Internet       9432         
192.168.2.105 56188     168.62.58.130  443        Established Internet       10276        
192.168.2.105 56181     168.62.58.130  443        Established Internet       10276        
192.168.2.105 56103     13.107.6.171   443        Established Internet       9432         
192.168.2.105 56095     13.107.42.12   443        Established Internet       9432         
192.168.2.105 56094     13.107.43.12   443        Established Internet       9432         
192.168.2.105 55959     140.82.112.26  443        Established Internet       21588        
192.168.2.105 55568     52.113.206.137 443        Established Internet       13736        
192.168.2.105 55555     51.103.5.186   443        Established Internet       12752        
192.168.2.105 49638     51.103.5.186   443        Established Internet       5464   
 

This list is not very useful per se because it does not resolve IP addresses and won’t tell you which programs maintain the connections. With a little bit of PowerShell magic, though, you can resolve these items:

$Process = @{
    Name='Process'
    Expression={
        # return process path
        (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Path
       
        }
}

$HostName = @{
    Name='Host'
    Expression={
        $remoteHost = $_.RemoteAddress
        try { 
            # try to resolve IP address
            [Net.Dns]::GetHostEntry($remoteHost).HostName
        } catch {
            # if that fails, return IP anyway
            $remoteHost
        }
    }
}

# get all connections to port 443 (HTTPS)
Get-NetTCPConnection -RemotePort 443 -State Established | 
  # where there is a remote address
  Where-Object RemoteAddress |
  # and resolve IP and process ID
  Select-Object -Property $HostName, OwningProcess, $Process

Select-Object selects the objects you want to display. It supports “calculated properties”. $Process defines a calculated property named “Process”: it takes the original OwningProcess property and runs the process ID in it through Get-Process to get the path to the application.

The same occurs in $HostName: here, the .NET GetHostEntry() method is used to resolve the IP and return the resolved hostname. The result now looks like this:

 
Host                            OwningProcess Process                                                          
----                            ------------- -------                                                          
13.107.6.171                             9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
1drv.ms                                  9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
lb-140-82-113-26-iad.github.com         21588 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe      
1drv.ms                                  9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
52.113.206.137                          13736 C:\Users\tobia\AppData\Local\Microsoft\Teams\current\Teams.exe   
51.103.5.186                            12752 C:\Users\tobia\AppData\Local\Microsoft\OneDrive\OneDrive.exe    
 

The cost for this can be tremendous though because resolving IP addresses can take a long time, especially when the query times out. In our next part we’ll take a look at parallel processing to speed things up.




Twitter This Tip! ReTweet this Tip!

Anonymous