[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Filtering Netstat output

Posted on 2012-08-18
6
Medium Priority
?
7,158 Views
Last Modified: 2012-08-25
Hi

I am running Windows XP and Windows 7 clients, with a Windows 2008 Server running an in-house app.

The application server is slowing down, and our developer team say it is because there are too many client connections originating from the same machines, i.e. the client machines are holding open connections instead of closing them with the server.

I'd like to go to some client machines, and find out how many connections they have to port 5000 (example) which the app uses.

I guess I need Netstat to do that? But how can I filter the Netstat output by either port or destination IP (the server IP address is 192.168.1.33)

Thanks in advance.
0
Comment
Question by:neil4933
  • 3
  • 2
6 Comments
 
LVL 40

Expert Comment

by:als315
ID: 38308915
netstat | findstr /c:"192.168.1.33"
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 38309031
To filter for e.g. port 443 (SSL), you would need to suppress the decoding of IP and port numbers, and to "find" the port:
netstat -n | find ":443	"

Open in new window

This is ending with a Tab character, else a port of 4431 aso. would be found, too. If you use
netstat -n | find /c ":443	"

Open in new window

you will get the count only.
But what you really want to have is a grouping by IP and port - and that cannot be done automatically in a batch (that easily). It would be easy to do in PowerShell, but I reckon you won't want to use that here. If you want a batch, you can start with:
@echo off
for /F "tokens=2-5 delims=: " %%A in ('netstat -n ^| find ":443	"') do @echo %%A,%%B,%%C,%%D

Open in new window

which just shows how to parse the output.
  %%A contains the local IP,
  %%B the local port,
  %%C the remote IP,
  %%D the remote port
If you change the sequence in echo, you can pipe the result to sort, and have it sorted for the corresponding value (local/remote IP/port).

You might find a tool like CurrPorts (http://www.nirsoft.net/utils/cports.html) or TcpView (http://technet.microsoft.com/en-us/sysinternals/bb897437) more handy if you want to perform analysis online and manually.
0
 

Author Comment

by:neil4933
ID: 38309607
Hi All

Thanks for your responses...

"But what you really want to have is a grouping by IP and port - and that cannot be done automatically in a batch (that easily). It would be easy to do in PowerShell..."

Actually, I'd be very interested in how that worked with Powershell!!
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 71

Expert Comment

by:Qlemo
ID: 38309667
[Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() | 
  Where-Object {$_.State -eq "Established"} |
  Where-Object {$_.RemoteEndPoint.Address -eq [IPAddress]"1.1.1.1" } |
  Where-Object {$_.RemoteEndPoint.Port -eq 443} | 
  Group-Object RemoteEndPoint | 
  Select-Object @{name="Remote"; e={$_.Name}}, count

Open in new window

will display the number of connections to 1.1.1.1:443 as an example.
But instead running on each client individually, I recommend to run it on the server and query LocalEndPoint.Port to get an overview over the connected clients:
[Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() | 
  Where-Object {$_.State -eq "Established"} |
  Where-Object {$_.LocalEndPoint.Port -eq 5000} | 
  Group-Object {$_.RemoteEndPoint.Address} | 
  Select-Object @{name="Remote"; e={$_.Name}}, count

Open in new window

0
 

Author Comment

by:neil4933
ID: 38310025
Thanks QLEMO.

Is it not possible to query the output of netstat directly from Powershell?

I was thinking of something like:

Get output of Netstat
Where destination address is 192.168.1.33 or
Where destination port is 443 (for example)
Where destination address is 192.168.1.33 *and* destination port is 443?
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 38310070
Of course you can do that, but since netstat output is consisting of lines of strings, it requires parsing like in cmd batches (which again is easier in PowerShell due to the availability of regular expressions). We would have to split a line like we do in the FOR loop, making it inconvinient. But I have seen PS code doing that, and it is (again) not difficult (see e.g. http://halr9000.com/article/599).

The strength of PowerShell is that it handles objects and their properties, not strings only. Using the method I showed is more versatile, as you can define the conditions to your liking:
[Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() | 
  Where-Object {$_.State -eq "Established"} |
  Where-Object {$_.RemoteEndPoint.Address -eq [IPAddress]"192.168.1.33"
           -or  $_.RemoteEndPoint.Port    -eq 443} |
  Group-Object {$_.RemoteEndPoint.Address} | 
  Select-Object @{name="Remote"; e={$_.Name}}, count]

Open in new window

[Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections() | 
  Where-Object {$_.State -eq "Established"} |
  Where-Object {$_.RemoteEndPoint.Address -eq [IPAddress]"192.168.1.33"
           -and $_.RemoteEndPoint.Port    -eq 443} |
  Group-Object {$_.RemoteEndPoint.Address} | 
  Select-Object @{name="Remote"; e={$_.Name}}, count]

Open in new window

0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question