none
TCP Monitor RRS feed

  • Question

  • I'm using the following script to monitor TCP/UDP connections in near real time.  This gets the job done, but I know there must be a much better way to get the same information by leveraging an event handler.  I know tools like Network Monitor can get this same information, but I need this information in PowerShell.

    $PathToExe = 'c:\Tcpvcon.exe'
    $hashConnections = @{}
    $aryConnections = @()
    
    While($true)
    {
    	$aryConnections = & $PathToExe -n -c -a 2> $null
    	$aryConnections | % {
    		if (-not $hashConnections.ContainsKey($_)) {
    			$time = 
    			Write-host ("{0:T} " -f (get-date) + $_)
    			$hashConnections.Add("$_",0)
    		}
    	}
    
    }

    I'm looking forward when SysInternals tool meets PowerShell.  In the mean time, does anyone have any idea what event handler tcpvcon or tcpview is using?  Warning: I have on idea what impact creating a new process on every iteration of this while loop would cause, but I'm know it is not an optimal solution.  I only run this for a few minutes.

    Wednesday, November 28, 2018 4:33 PM

Answers

  • Are you looking to list connections?  Use the Net CmdLets.

    Get-NetTCPConnection

    Get-NetTCPConnection -State Established


    \_(ツ)_/

    • Marked as answer by Lee Hagler Wednesday, November 28, 2018 5:10 PM
    Wednesday, November 28, 2018 4:43 PM

All replies

  • Are you looking to list connections?  Use the Net CmdLets.

    Get-NetTCPConnection

    Get-NetTCPConnection -State Established


    \_(ツ)_/

    • Marked as answer by Lee Hagler Wednesday, November 28, 2018 5:10 PM
    Wednesday, November 28, 2018 4:43 PM
  • Note that TCPView does not use events.  It scans for the current state and updates the view on a timer.

    \_(ツ)_/

    Wednesday, November 28, 2018 4:52 PM
  • Thanks!  I also found Get-NetUDPEndpoint, which looks like it returns the UDP protocol ports opened that show up in TCPView.  This is great information.  I can stop parsing netstat commands!
    Wednesday, November 28, 2018 5:19 PM
  • It's a little longer, but using Get-NETTCPConnection and Get-NETUDPEndpoint:

    $hashConnections = @{}
    $aryConnections = @()
    $aryObjPorts = @()
    
    $Signature = @'
    	[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
    	public static extern short GetAsyncKeyState(int virtualKeyCode);
    '@
    If (-not ("Keytest.Keypress" -as [type])){
    $API = Add-Type -MemberDefinition $Signature -Name 'Keypress' -Namespace Keytest -PassThru
    }
    
    While([bool]($API::GetAsyncKeyState(118) -eq 0))
    {
    	$hashProcess = @{}
    	Get-process | % {$hashProcess.Add($_.Id,$_.ProcessName)}
    	
    	$objTCPPorts = Get-NetTCPConnection | select LocalAddress, LocalPort, RemoteAddress, RemotePort, State,  AppliedSetting, OwningProcess,@{ Name = 'ProcessName'; Expression = { $hashProcess[[int] $_.OwningProcess]  }} 
    	
    	$objTCPPorts | % {
    		$strTCPPort = "TCP,$($_.LocalAddress), $($_.LocalPort), $($_.RemoteAddress), $($_.RemotePort), $($_.State),  $($_.AppliedSetting), $($_.OwningProcess), $($_.ProcessName)"
    		If ( -not  $hashConnections.ContainsKey($strTCPPort)) {
    			Write-host ("{0:T} " -f (get-date) + $strTCPPort)
    			$hashConnections.Add("$strTCPPort",0)
    			$ObjValue = [PSCustomObject] @{
    				Protocol = 'TCP'
    				Process = $($_.ProcessName)
    				PID = $($_.OwningProcess)
    				State = $($_.State)
    				Local = $($_.LocalAddress)
    				LocalPort = $($_.LocalPort)
    				Remote = $($_.RemoteAddress)
    				RemotePort = $($_.RemotePort)
    			}
    			$aryObjPorts += $ObjValue
    			
    		}
    	}
    	
    	$objUDPPorts = Get-NetUDPEndpoint | select LocalAddress, LocalPort, OwningProcess,@{ Name = 'ProcessName'; Expression = { $hashProcess[[int] $_.OwningProcess]  }}
    	
    	$objUDPPorts | % {
    		$strUDPPort = "UDP,$($_.LocalAddress), $($_.LocalPort), $($_.OwningProcess), $($_.ProcessName)"
    		If ( -not  $hashConnections.ContainsKey($strUDPPort)) {
    			Write-host ("{0:T} " -f (get-date) + $strUDPPort)
    			$hashConnections.Add("$strUDPPort",0)
    			$ObjValue = [PSCustomObject] @{
    				Protocol = 'UDP'
    				Process = $($_.ProcessName)
    				PID = $($_.OwningProcess)
    				Local = $($_.LocalAddress)
    				LocalPort = $($_.LocalPort)
    			}
    			$aryObjPorts += $ObjValue
    		}
    	}
    }
    
    $aryObjPorts | out-gridview

    Press F7 to exit.  Added $aryObjPorts PSobject so I could output to out-gridview.


    • Edited by Lee Hagler Thursday, November 29, 2018 10:16 PM
    Thursday, November 29, 2018 7:31 PM