netstat filtering logic include/exclude in PowerShell

Question

Currently, we use some logic in PowerShell to do a netstat -ano to get all TCP and UDP results and filter out results that we don't need to see then export it into a CSV. We want the results to only include the LISTENING and (blank) and non-loopback IP's.

One example would be netstat -ano | Where-Object{$_ -notlike '*127.?.?.?*' -and $_ -notmatch '\[::1]' -and $_ -notmatch 'TIME_WAIT' -and $_ -notmatch 'CLOSE*' -and $_ -notmatch 'ESTABLISHED' -and $_ -notmatch 'SYN_*' -and $_ -notmatch 'FIN_*'}.

However, we don't want to miss the other options that can come through at other times if we happen to be running our script at the same time. One I just found is LAST_ACK and I don't know what other options there are that our logic doesn't include already.

Is there a way to flip that logic instead of filtering out all of those matches, can we only include matches that are either (blank) or LISTENING or non-loopback IP's? If not, I can add more to that logic, but just wanted to see the thoughts of some of the experts.

ANSWER: I found all the states here and just updated it to include all of those.

Answer 1

Don't reinvent the wheel when you don't have to. Any legitimate question has potentially already been asked and answered, multiple times, in many ways all over the web. You may not find an absolute answer in one search, and you may need to search using a different string(s), string match, exact string match, partial string match, site-specific match, etc.

Example: 'powershell filter netstat'

Hit(s)

Get-NetworkStatistics - netstat -ano with filtering

This code borrows from Shay Levy's Get-NetworkStatistics function. This function runs netstat -ano on a local or remote system and filters the results by process name, address, port, protocol or state if specified. Process names are pulled for each PID using get-process.

https://gallery.technet.microsoft.com/scriptcenter/Get-NetworkStatistics-66057d71

Download: https://gallery.technet.microsoft.com/scriptcenter/Get-NetworkStatistics-66057d71/file/68504/10/Get-NetworkStatistics.ps1

Use as-is or modify as needed.

Answer 2

here's one way to deal with what i think you want ... convert the lines of text to PoSh objects that you can filter as you want. this is old code that i wrote 3 or 4 years ago.

what it does ...

• saves the result of a netstat call to a $Var
• cleans out the unwanted lines
• converts each line into a CSV line
• converts the collection of CSV lines into an array of PoSh objects
• displays the collection
• displays the .PID property of the 0th object

the code ...

$Raw_Result = netstat -a -o -n

# get rid of the unwanted 1st three lines
$Raw_Result = $Raw_Result | Select-Object -Skip 3
# remove the `---` line
$Raw_Result = $Raw_Result | Select-String -Pattern '[^---]'

$Cleaned_Result = foreach ($Line in $Raw_Result)
    {
    $Line = $Line.ToString().Trim()
    if ($Line[53] -eq ' ')
        {
        $Line = $Line.Insert(53, '-NA-')
        }
    $Line = $Line -replace ' {2,}', ','

    $Line
    }


$Final_Result = $Cleaned_Result | ConvertFrom-Csv


#$Raw_Result
#$Cleaned_Result
$Final_Result
Write-Output ''
$Final_Result[0].PID

truncated output ...

Proto           : UDP
Local Address   : [::]:55356
Foreign Address : *:*
State           : -NA-
PID             : 3352

[*...snip...*] 

Proto           : UDP
Local Address   : [fe80::d129:4be7:98da:e357%14]:53382
Foreign Address : *:*
State           : -NA-
PID             : 3908


1308

the benefit of all that work is that you now have an easy-to-sort-or-filter collection of fairly standard objects. [grin]

Answer 3

I found all the states here and just updated it to include the LAST and now they are all there. They are as follows below:

CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT.