neil4933
asked on
Filtering Netstat output
Hi
I am running Windows XP and Windows 7 clients, with a Windows 2008 Server running an in-house app.
The application server is slowing down, and our developer team say it is because there are too many client connections originating from the same machines, i.e. the client machines are holding open connections instead of closing them with the server.
I'd like to go to some client machines, and find out how many connections they have to port 5000 (example) which the app uses.
I guess I need Netstat to do that? But how can I filter the Netstat output by either port or destination IP (the server IP address is 192.168.1.33)
Thanks in advance.
I am running Windows XP and Windows 7 clients, with a Windows 2008 Server running an in-house app.
The application server is slowing down, and our developer team say it is because there are too many client connections originating from the same machines, i.e. the client machines are holding open connections instead of closing them with the server.
I'd like to go to some client machines, and find out how many connections they have to port 5000 (example) which the app uses.
I guess I need Netstat to do that? But how can I filter the Netstat output by either port or destination IP (the server IP address is 192.168.1.33)
Thanks in advance.
netstat | findstr /c:"192.168.1.33"
To filter for e.g. port 443 (SSL), you would need to suppress the decoding of IP and port numbers, and to "find" the port:
But what you really want to have is a grouping by IP and port - and that cannot be done automatically in a batch (that easily). It would be easy to do in PowerShell, but I reckon you won't want to use that here. If you want a batch, you can start with:
%%A contains the local IP,
%%B the local port,
%%C the remote IP,
%%D the remote port
If you change the sequence in echo, you can pipe the result to sort, and have it sorted for the corresponding value (local/remote IP/port).
You might find a tool like CurrPorts (http://www.nirsoft.net/utils/cports.html) or TcpView (http://technet.microsoft.com/en-us/sysinternals/bb897437) more handy if you want to perform analysis online and manually.
netstat -n | find ":443 "
This is ending with a Tab character, else a port of 4431 aso. would be found, too. If you usenetstat -n | find /c ":443 "
you will get the count only.But what you really want to have is a grouping by IP and port - and that cannot be done automatically in a batch (that easily). It would be easy to do in PowerShell, but I reckon you won't want to use that here. If you want a batch, you can start with:
@echo off
for /F "tokens=2-5 delims=: " %%A in ('netstat -n ^| find ":443 "') do @echo %%A,%%B,%%C,%%D
which just shows how to parse the output.%%A contains the local IP,
%%B the local port,
%%C the remote IP,
%%D the remote port
If you change the sequence in echo, you can pipe the result to sort, and have it sorted for the corresponding value (local/remote IP/port).
You might find a tool like CurrPorts (http://www.nirsoft.net/utils/cports.html) or TcpView (http://technet.microsoft.com/en-us/sysinternals/bb897437) more handy if you want to perform analysis online and manually.
ASKER
Hi All
Thanks for your responses...
"But what you really want to have is a grouping by IP and port - and that cannot be done automatically in a batch (that easily). It would be easy to do in PowerShell..."
Actually, I'd be very interested in how that worked with Powershell!!
Thanks for your responses...
"But what you really want to have is a grouping by IP and port - and that cannot be done automatically in a batch (that easily). It would be easy to do in PowerShell..."
Actually, I'd be very interested in how that worked with Powershell!!
[Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() |
Where-Object {$_.State -eq "Established"} |
Where-Object {$_.RemoteEndPoint.Address -eq [IPAddress]"1.1.1.1" } |
Where-Object {$_.RemoteEndPoint.Port -eq 443} |
Group-Object RemoteEndPoint |
Select-Object @{name="Remote"; e={$_.Name}}, count
will display the number of connections to 1.1.1.1:443 as an example.But instead running on each client individually, I recommend to run it on the server and query LocalEndPoint.Port to get an overview over the connected clients:
[Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() |
Where-Object {$_.State -eq "Established"} |
Where-Object {$_.LocalEndPoint.Port -eq 5000} |
Group-Object {$_.RemoteEndPoint.Address} |
Select-Object @{name="Remote"; e={$_.Name}}, count
ASKER
Thanks QLEMO.
Is it not possible to query the output of netstat directly from Powershell?
I was thinking of something like:
Get output of Netstat
Where destination address is 192.168.1.33 or
Where destination port is 443 (for example)
Where destination address is 192.168.1.33 *and* destination port is 443?
Is it not possible to query the output of netstat directly from Powershell?
I was thinking of something like:
Get output of Netstat
Where destination address is 192.168.1.33 or
Where destination port is 443 (for example)
Where destination address is 192.168.1.33 *and* destination port is 443?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.