The following command shows which ports are listening:
Get-NetTCPConnection -State Listen
Which connections are active:
Get-NetTCPConnection -State Established
Show connections to destination port 443:
Get-NetTCPConnection -State Established -RemotePort 443
Display traffic to a remote IP address:
Get-NetTCPConnection -State Established -RemoteAddress 8.8.8.8
The OwningProcess field can help identify which service or application is the source of the traffic:
Get-NetTCPConnection -State Established -RemotePort 443 | Select OwningProcess
Get-NetTCPConnection | Select LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess, @{n="ProcessName";e={(Get-Process -Id $_.OwningProcess).ProcessName}}, @{n="UserName";e={(Get-Process -Id $_.OwningProcess -IncludeUserName).UserName}} | Where {$_.State -eq "Established"} | FT -autosize -Force
The code below shows the oldest 10 connections:
$now = get-date
Get-NetTCPConnection | select-object LocalAddress,LocalPort,RemoteAddress,RemotePort,State,@{Name="LifetimeSec";Expression={($now-$_.CreationTime).seconds}},OwningProcess, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | sort-object -property LifetimeSec | select-object -last 10 | ft -auto
The command below includes DNS names:
Get-NetTCPConnection -State Established |Select-Object -Property LocalAddress, LocalPort,@{name='RemoteHostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},RemoteAddress, RemotePort, State,@{name='ProcessName';expression={(Get-Process -Id $_.OwningProcess). Path}},OffloadState,CreationTime | FT
The Get-NetUDPEndpoint cmdlet is similar but shows UDP traffic.
Get-NetUDPEndpoint | select LocalAddress,LocalPort,CreationTime,OwningProcess,@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | ft -auto
https://woshub.com/get-nettcpconnection-windows-powershell/
https://isc.sans.edu/diary/30532
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.