Sign in to follow this  
Followers 0
spudw2k

_NetStat_GetData

11 posts in this topic

#1 ·  Posted (edited)

An oldie but goodie, I was cleaning house and found this old snippet I made back in Apr 2013.  It still has some utility, so I figured I'd share it.

It runs netstat and populates the output into an array.  Very Pretty simple.  

#include <Constants.au3>
#include <Process.au3>
#include <Array.au3>

Local $aNetStatData = _NetStat_GetData()
_ArrayDisplay($aNetStatData)

Func _NetStat_GetData($bAddProcessName = True)
    Local $aNetStatData = _NetStat_ProcessOutput(_NetStat_GetOutput())
    If $bAddProcessName Then _NetStat_AddProcessName($aNetStatData)
    Return $aNetStatData
EndFunc

Func _NetStat_GetOutput()   ;Run netstat CMD and get StdOut
    Local $sNetStatOutput = _RunCMD("netstat.exe -a -o -f")
    Return $sNetStatOutput
EndFunc

Func _NetStat_ProcessOutput($sNetStatOutput)    ;Convert netstat StdOut to Array
    Local $arr = StringSplit(StringStripWS($sNetStatOutput,4),@CR)
    Local $aRecord
    Dim $aNetStatData[1][5]=[["Protocol","Local Address","Foreign Address","State","PID"]]
    ReDim $aNetStatData[$arr[0]-3][5]
    For $iX = 1 To UBound($aNetStatData)-1
        $aRecord = StringSplit($arr[$iX+3]," ")
        If $aRecord[1]="TCP" Then
            For $iY = 0 to $aRecord[0]-1
                $aNetStatData[$iX][$iY] = $aRecord[$iY+1]
            Next
        ElseIf $aRecord[1]="UDP" Then
            For $iY = 0 to $aRecord[0]-2
                $aNetStatData[$iX][$iY] = $aRecord[$iY+1]
            Next
            $aNetStatData[$iX][4] = $aRecord[4]
        EndIf
    Next
    Return $aNetStatData
EndFunc

Func _NetStat_AddProcessName(ByRef $aNetStatData)   ;Add processname to NetStat Array
    ;Create NetStat PID / Process Name Array
    Local $aPIDs = _ArrayUnique($aNetStatData,4,0,0,0)
    _ArrayColInsert($aPIDs,1)
    $aPIDs[0][1] = "Process Name"
    For $iX = 1 To UBound($aPIDs)-1
        $aPIDs[$iX][1] = _ProcessGetName($aPIDs[$iX][0])
    Next
    ;Add Process Names to NetStat Array
    _ArrayColInsert($aNetStatData,5)
    $aNetStatData[0][5] = "Process Name"
    For $iX = 1 to UBound($aNetStatData)-1
        Local $sProcessName = $aPIDs[_ArraySearch($aPIDs, $aNetStatData[$iX][4])][1]
        If $sProcessName Then $aNetStatData[$iX][5] = $sProcessName
    Next
EndFunc

Func _RunCMD($sCMD)
    ;Run CMD and Return StdOut
    Local $iPID = Run(@ComSpec & " /c " & $sCMD, @SystemDir, @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD)
    Local $sStdOut
    While 1
        $sStdOut &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd
    Return $sStdOut
EndFunc

 

Edited by spudw2k
3 people like this

Share this post


Link to post
Share on other sites



👍 


Earthshine
A beacon in the night
I can raise my eyes to 
Earthshine -- RUSH, Earthshine - Vapor Trails

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

dude, this rules! thanks! you can almost tell if you've been hacked by running that report! nice. 

I use TcpView to see if I am hacked usually, scanning with tools always as well. I am going to see if we can't add those extra columns if you won't... LOL

 

tcpview.PNG

NetStatReport.PNG

Edited by Earthshine

Earthshine
A beacon in the night
I can raise my eyes to 
Earthshine -- RUSH, Earthshine - Vapor Trails

Share this post


Link to post
Share on other sites

😂 


Earthshine
A beacon in the night
I can raise my eyes to 
Earthshine -- RUSH, Earthshine - Vapor Trails

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Did a little code cleanup / restruct and added functionality to add process name--as determined by PID--to the array by default.

Edited by spudw2k
1 person likes this

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Thanks! I wanted to do this but I’m in another project right now automation in C-sharp is awesome. Anyway now I don’t have to 

Edited by Earthshine

Earthshine
A beacon in the night
I can raise my eyes to 
Earthshine -- RUSH, Earthshine - Vapor Trails

Share this post


Link to post
Share on other sites

#8 ·  Posted

Thanks for this man. I can get a lot of use out of it.

1 person likes this

Spoiler

 

"If a vegetarian eats vegetables,What the heck does a humanitarian eat?"

"I hear voices in my head, but I ignore them and continue on killing."

"You have forced me to raise the indifference warning to beige, it's a beige alert people. As with all beige alerts please prepare to think about the possibility of caring."

An optimist says that giving someone power DOESN'T immediately turn them into a sadist. A pessimist says that giving someone power doesn't IMMEDIATELY turn them into a sadist.

 

 

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

update. it works but really slow on win10 for some reason. on 2008R2 it seems just fine

Edited by Earthshine

Earthshine
A beacon in the night
I can raise my eyes to 
Earthshine -- RUSH, Earthshine - Vapor Trails

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

snip

Edited by Earthshine

Earthshine
A beacon in the night
I can raise my eyes to 
Earthshine -- RUSH, Earthshine - Vapor Trails

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

Solved the problem!

I was mucking around on my host box and had installed/enabled the Hyper-V stuff, and it added a default switch that was really slowing me down, even an netstat -ao would bog... now it's all snappy with no changes to code

THANKS AGAIN dude! this is coolness

Edited by Earthshine

Earthshine
A beacon in the night
I can raise my eyes to 
Earthshine -- RUSH, Earthshine - Vapor Trails

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • dragan
      By dragan
      I'm using my script to monitor established connections with the network. I'm using combination of RUN and NETSTAT command, however, constantly calling netstat from CMD doesn't feel elegant enough, and it's causing my script to perform really slow. Is there more elegant solution, an alternative for calling netstat?