Parsing netstat using a regular expression.

guinness · June 2, 2012

In an effort to improve my SRE knowledge, I'm taking 'real world' examples and apply the SRE knowledge I have, though it's somewhat limited. So here is the example. Is there a better approach?

Working Code: Parse netstat into a multidimensional array $aArray[n][3] = [source IP, Destination IP, Process]

#include <Array.au3>
#include <Constants.au3>

_ParseNetStat()

Func _ParseNetStat()
    Local $sData = _RunStdOutRead('netstat -n -b', @SystemDir)
    Local $aArray = StringRegExp($sData, '((?:d{1,3}.){3}d{1,3}:d+)s+((?:d{1,3}.){3}d{1,3}:d+).*ns*[(.*?)]', 3) ; $sIPAddress & '(?:.d{1,3})+:d+s*(?:d{1,3}.){3}d{1,3}:d+',
    Local $aReturn[(UBound($aArray, 1) / 3) + 1][3] = [[0]]

    For $i = 0 To UBound($aArray, 1) - 1
        $aReturn[0][0] += 1
        For $j = 0 To 2
            $aReturn[$aReturn[0][0]][$j] = $aArray[$i]
            $i += 1
        Next
        $i -= 1
    Next
    _ArrayDisplay($aReturn)
EndFunc   ;==>_ParseNetStat

Func _RunStdOutRead($sCommand, $sWorkingDirectory = @SystemDir)
    Local $iPID = Run(@ComSpec & ' /c ' & $sCommand, $sWorkingDirectory, @SW_HIDE, $STDOUT_CHILD + $STDERR_CHILD), $sOutput = ''
    While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then
            ExitLoop
        EndIf
    WEnd
    Return $sOutput
EndFunc   ;==>_RunStdOutRead

UEZ · June 2, 2012

What about this here?

#include <array.au3>
#include <constants.au3>

_ParseNetStat()

Func _ParseNetStat()
    Local $sData = _RunStdOutRead('netstat -n -b', @SystemDir)
;~  ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $sData = ' & $sData & @crlf & '>Error code: ' & @error & @crlf) ;### Debug Console
    Local $aArray = StringRegExp($sData, "(?im:)(TCP|UDP)s+(.*:d+)s*(.*:d+)s*(w*)s*(rn|[.*]+)", 3)
    If Mod(UBound($aArray), 5) Then Return SetError(1, 0, 0) ;unexpected array size
    Local $ub = UBound($aArray, 1) / 5, $i, $j = -1
    Local $aReturn[$ub][5]
    While $i < UBound($aArray)
        If Not Mod($i, 5) Then $j += 1
        $aReturn[$j][Mod($i, 5)] = StringReplace(StringReplace($aArray[$i], "[", ""), "]", "")
        $i += 1
    WEnd
    _ArrayDisplay($aReturn, "Active Connections", -1, 0, "", "|", "Index|Protocol|Local Address|Foreign Address|State|Application" )
EndFunc   ;==>_ParseNetStat

Func _RunStdOutRead($sCommand, $sWorkingDirectory = @SystemDir)
    Local $iPID = Run(@ComSpec & ' /c ' & $sCommand, $sWorkingDirectory, @SW_HIDE, $STDOUT_CHILD + $STDERR_CHILD), $sOutput = ''
    While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then
            ExitLoop
        EndIf
    WEnd
    Return $sOutput
EndFunc   ;==>_RunStdOutRead

Edit: currently I'm too silly to eliminate the brackets with regex and added check when array is <> Mod(Ubound, 5)

Br,

UEZ

Edited June 3, 2012 by UEZ

Robjong · June 2, 2012

Hi,

Your pattern is fine, except for one small part, it's better to use negated character set than a lazy dot.

[(.*?)]
to
[([^]]*)]

And because there is no need to validate, as the format is known, there is no need to match an IPv4 so strictly.

([d.]+:d+) ; the simplest option
([d.]{7,15}:d+) ; same count as IPv4
(d[d.]{5,13}d:d+) ; or if you want to make sure it begins and ends with a digit so it looks more like an IPv4

And since your exploring you could also go for global matching.

#include <Array.au3>
#include <Constants.au3>


$aNetStat = _ParseNetStat()
_ArrayDisplay($aNetStat)


Func _ParseNetStat()
    Local $sData = _RunStdOutRead('netstat -n -b', @SystemDir)
    Local $aArray = StringRegExp($sData, '(w+)h+([d.]{7,15}:d+)h+([d.]{7,15}:d+)h+(w+).*nh*(?:[([^]]+)]|())', 4)
    If @error Then Return SetError(1, 0, False)
    Local $aSubArray, $aReturn[UBound($aArray)][5]
    For $i = 0 To UBound($aArray) - 1
        $aSubArray = $aArray[$i]
        $aReturn[$i][0] = $aSubArray[0]
        $aReturn[$i][1] = $aSubArray[1]
        $aReturn[$i][2] = $aSubArray[2]
        $aReturn[$i][3] = $aSubArray[3]
        $aReturn[$i][4] = $aSubArray[4]
    Next
    Return $aReturn
EndFunc   ;==>_ParseNetStat

Func _RunStdOutRead($sCommand, $sWorkingDirectory = @SystemDir)
    Local $iPID = Run(@ComSpec & ' /c ' & $sCommand, $sWorkingDirectory, @SW_HIDE, $STDOUT_CHILD + $STDERR_CHILD), $sOutput = ''
    While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then
            ExitLoop
        EndIf
    WEnd
    Return $sOutput
EndFunc ;==>_RunStdOutRead

@UEZ "Array variable subscript badly formatted." enough said? also (rn|[.*]+) will capture line breaks or inlude the square brackets.

Edit: Updated the script to include TIME_WAIT like entries (without a process name).

Edit 2: addressed the issue mentioned, should now work on every OS.

Edited June 23, 2012 by Robjong

guinness · June 2, 2012

UEZ,

Thanks for that, it worked a lot better than mine did. I also didn't receive the error as Robjong did, strange.

Robjong,

Firstly thanks for the explanation of not using the 'lazy dot' because I do have this tendency to use it. By the way what version of Windows do you have? Because I tried your version and the array didn't populate.

UEZ · June 2, 2012

guinness,

it depends on the output of netstat. That means when the output is unexpected the array calculation will be mixed up and the em will appear.

Robjong's version captures only the established connection and what I'm trying is to get all values. I'm a regex noob I'm trying to get the last token [app.exe] without the brackets which are only available on established status.

Br,

UEZ

Sign In

Parsing netstat using a regular expression.

Recommended Posts

guinness

Link to comment

Share on other sites

UEZ

Link to comment

Share on other sites

Robjong

Link to comment

Share on other sites

guinness

Link to comment

Share on other sites

UEZ

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta