Checking Active TCP/IP Connections on Windows with PowerShell

Many administrators usually use the netstat console tool or graphic TCPView to display information about active TCP/IP connections and open TCP ports in Windows. Instead of netstat, you can use the Get-NetTCPConnection cmdlet in PowerShell to get information about active network connections in Windows, open TCP ports, and running processes that are using the TCP/IP protocol. PowerShell makes it easy to write complex scripts to get information and monitor open TCP ports, processes, and established network connections.

Try to run the Get-NetTCPConnection command without any options.

Like netstat, the command has displayed the list of all active connections with local and remote IP addresses, ports, connection state (Listen, Established Internet, TimeWait, Bound, CloseWait, SynReceived, SynSent), and process ID (PID) that is using this TCP connection.

You can display a list of open (listening) ports on your local computer:

Get-NetTCPConnection -State Listen | Select-Object -Property LocalAddress, LocalPort, RemoteAddress, RemotePort, State | Sort-Object LocalPort |ft

The Get-NetUDPEndpoint cmdlet is used to get information about UDP ports.

You can display external (Internet) connections only:

Get-NetTCPConnection -AppliedSetting Internet

You can display DNS names of remote hosts and process names for TCP connections:

Get-NetTCPConnection -State Established |Select-Object -Property LocalAddress, LocalPort,@{name='RemoteHostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},RemoteAddress, RemotePort, State,@{name='ProcessName';expression={(Get-Process -Id $_.OwningProcess). Path}},OffloadState,CreationTime |ft

This PowerShell script resolved all host IP addresses to DNS names and specified process names for all connections.

By the name of a parent process PID, you can display the list of related Windows services that are using the network:

Get-WmiObject Win32_Service | Where-Object -Property ProcessId -In (Get-NetTCPConnection).OwningProcess | Where-Object -Property State -eq Running | Format-Table ProcessId, Name, Caption, StartMode, State, Status, PathName

You can view only network connections initiated by the specific process. To do it, you can use the following PowerShell script:

$TrackProcessName = "*chrome*" $EstablishedConnections = Get-NetTCPConnection -State Established |Select-Object -Property LocalAddress, LocalPort,@{name='RemoteHostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},RemoteAddress, RemotePort, State,@{name='ProcessName';expression={(Get-Process -Id $_.OwningProcess). Path}}, OffloadState,CreationTime Foreach ($Connection in $EstablishedConnections) { If ($Connection.ProcessName -like $TrackProcessName) { $Connection|ft } }

You can use the Get-NetTCPConnection cmdlet in various scenarious. For example, you can create a simple PowerShell script to track if the connection is established from the specific IP address to the specified local port and display a pop-up notification to the administrator.

In the following example, a PowerShell script checks if a connection from the specified IP address appears on the default RDP port 3389. If the connection appears, the script will display a pop-up notification and logs the date and time of the connection to a text file:

$SourceIP = “192.168.13.125” $TargetPort =”3389” $log = "C:\PS\rdp_connection_log.txt" $EstablishedConnections = Get-NetTCPConnection -State Established Foreach ($Connection in $EstablishedConnections) { If (($Connection.RemoteAddress -eq $SourceIP) -and ($Connection.LocalPort -eq $TargetPort)) { Add-Type -AssemblyName System.Windows.Forms $global:balmsg = New-Object System.Windows.Forms.NotifyIcon $path = (Get-Process -id $pid).Path $balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($path) $balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning $balmsg.BalloonTipText = "New RDP connection to your computer from $($Connection.RemoteAddress)" $balmsg.BalloonTipTitle = "New RDP connection from ($Connection.RemoteAddress)" $balmsg.Visible = $true $balmsg.ShowBalloonTip(10000) (Get-Date).ToString() + ' ' + $Connection.RemoteAddress + ' an RDP connection is established ' >> $log } }

In the same way, you can monitor and log network connections over any other protocol, like SSH, SMB, FTP, SMTP, etc. This PowerShell script may be converted into a Windows service that will start automatically.

You can use the script together with the one we discussed earlier: RDP Brute Force Attack Protection with Powershell.

You can get a list of open TCP ports and connections on remote computers using PowerShell remoting cmdlets (Enter-PSSession and Invoke-Command).

Invoke-Command -ComputerName be-dc01 {Get-NetTCPConnection -State Established}

The Get-NetTCPConnection cmdlet (as well as Test-NetConnection) may be very useful to track and diagnose network connections in Windows.

2 comments

1

Checking Active TCP/IP Connections on Windows with PowerShell

Using RDCMan (Remote Desktop Connection Manager) on Windows

How to Install and Activate the RDS Licensing Role and CALs on Windows Server 2019/2016?

Related Reading