Organizing results from netstat using find on Windows

Question

I am trying to figure out a way to natively do this within Windows without having to load any 3rd party applications. When I run:

netstat -ba

I want to find established connections without losing the executable name that is attached to that particular connection.

The original output looks like this:

  TCP    127.0.0.1:5905         My_HOSTNAME:1044        ESTABLISHED
 [agent.exe]
  TCP    127.0.0.1:5905         My_HOSTNAME:1045        ESTABLISHED
 [agent.exe]
  TCP    127.0.0.1:5905         My_HOSTNAME:1047        ESTABLISHED
 [agent.exe]
  TCP    127.0.0.1:5939         My_HOSTNAME:0           LISTENING
 [TeamViewer_Service.exe]
  TCP    127.0.0.1:5939         My_HOSTNAME:47311       ESTABLISHED
 [TeamViewer_Service.exe]
  TCP    127.0.0.1:9089         My_HOSTNAME:0           LISTENING
 [vmware-converter-a.exe]
  TCP    127.0.0.1:9421         My_HOSTNAME:0           LISTENING
 [netsession_win.exe]
  TCP    127.0.0.1:12656        My_HOSTNAME:33335       ESTABLISHED
 [java.exe]
  TCP    127.0.0.1:19872        My_HOSTNAME:47441       ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:24001        My_HOSTNAME:0           LISTENING
 [fileserver.exe]
  TCP    127.0.0.1:24001        My_HOSTNAME:1078        ESTABLISHED
 [fileserver.exe]
  TCP    127.0.0.1:31000        My_HOSTNAME:32000       ESTABLISHED
 [java.exe]
  TCP    127.0.0.1:32000        My_HOSTNAME:0           LISTENING
 [wrapper.exe]
  TCP    127.0.0.1:32000        My_HOSTNAME:31000       ESTABLISHED
 [wrapper.exe]
  TCP    127.0.0.1:33335        My_HOSTNAME:0           LISTENING
 [postgres.exe]
  TCP    127.0.0.1:33335        My_HOSTNAME:1071        ESTABLISHED
 [postgres.exe]
  TCP    127.0.0.1:33335        My_HOSTNAME:1092        ESTABLISHED
 [postgres.exe]
  TCP    127.0.0.1:33335        My_HOSTNAME:12656       ESTABLISHED
 [postgres.exe]
  TCP    127.0.0.1:47311        My_HOSTNAME:5939        ESTABLISHED
 [TeamViewer.exe]
  TCP    127.0.0.1:47358        My_HOSTNAME:2002        ESTABLISHED
 [LogMeInSystray.exe]
  TCP    127.0.0.1:47389        My_HOSTNAME:62522       ESTABLISHED
 [vpnui.exe]
  TCP    127.0.0.1:47441        My_HOSTNAME:19872       ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:49152        My_HOSTNAME:0           LISTENING
 [omtsreco.exe]
  TCP    127.0.0.1:62514        My_HOSTNAME:0           LISTENING
 [cvpnd.exe]
  TCP    127.0.0.1:62522        My_HOSTNAME:0           LISTENING
 [vpnagent.exe]
  TCP    127.0.0.1:62522        My_HOSTNAME:47389       ESTABLISHED
 [vpnagent.exe]
  TCP    10.97.0.133:7139       My_HOSTNAME:0           LISTENING
 Can not obtain ownership information

When I find the established connections like this:

netstat -ba | find "EST"

It drops the executable names that are displayed in the line above and the output looks like:

TCP    127.0.0.1:47311        My_HOSTNAME:5939        ESTABLISHED
TCP    127.0.0.1:47358        My_HOSTNAME:2002        ESTABLISHED
TCP    127.0.0.1:47389        My_HOSTNAME:62522       ESTABLISHED
TCP    127.0.0.1:47441        My_HOSTNAME:19872       ESTABLISHED
TCP    127.0.0.1:62522        My_HOSTNAME:47389       ESTABLISHED
TCP    10.97.0.13:11523       SPICEWORKS:8080         ESTABLISHED
TCP    10.97.0.13:11537       SPICEWORKS:5556         ESTABLISHED

I would like to be able to return results that look like:

  TCP    127.0.0.1:47441        My_HOSTNAME:19872       ESTABLISHED
[vpnagent.exe]
  TCP    127.0.0.1:62522        My_HOSTNAME:47389       ESTABLISHED
Can not obtain ownership information
  TCP    10.97.0.133:711523     SPICEWORKS:8080         ESTABLISHED
 [vpnui.exe]

or like this:

  TCP    127.0.0.1:47441        My_HOSTNAME:19872       ESTABLISHED [vpnagent.exe]
  TCP    127.0.0.1:62522        My_HOSTNAME:47389       ESTABLISHED Can not obtain ownership information
  TCP    10.97.0.133:711523     SPICEWORKS:8080         ESTABLISHED [vpnui.exe]

Using only what's built into Windows how can I achieve this?

This is off topic for here, I'm afraid. See the FAQ for more details - it's under Help at the top of the page. — Graham Hill, Apr 07 '15 at 16:25

score 2 · Accepted Answer · answered Apr 07 '15 at 15:40

Depending on the version of Windows you are running, powershell should give you what you need.

Something like this: netstat -ba |Select-String -pattern "EST" -context 1,0

Take a look at this technet article for some select-string info:
https://technet.microsoft.com/en-us/library/ff730968.aspx

Organizing results from netstat using find on Windows

1 Answers1