46
8
Using netstat -a -o -n I can get the list of ports and PID
then I need to go to task manager and add the PID and see who is it. (pretty frustrating)
I was wonder if there is a CMD command which does it all ( using find , for , powershell)
so that I could get the process name
Royi Namir
Posted 2014-01-26T16:07:42.660
Reputation: 4 568
56
Use the -b parameter:
-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions.
Note The netstat -b command will fail unless run from an elevated command prompt.
Filter the process list and find the PID you're interested in:
tasklist | findstr /c:"PID"
You can use Tcpvcon.exe instead. No admin rights required.
Tcpvcon usage is similar to that of the built-in Windows
netstatutility.
Usage: tcpvcon [-a] [-c] [-n] [process name or PID]
-a Show all endpoints (default is to show established TCP connections).
-c Print output as CSV.
-n Don't resolve addresses.
and31415
Posted 2014-01-26T16:07:42.660
Reputation: 13 382
good answer, just commenting that I think it's amusing how the ms /? documentation even says "this option can be time-consuming" ! and it's purely a stupidity of windows that it is time consuming. Linux's netstat does its executable name showing fast. And also linux's executable name showing doesn't require root/admin privileges – barlop – 2016-05-13T05:05:55.157
1you're the man. – Royi Namir – 2014-01-26T19:14:40.077
8
I think you are looking for TCPView from SysInternals.
Leptonator
Posted 2014-01-26T16:07:42.660
Reputation: 441
Very good tool suite.. if it wasn't for msys and sis I'd be using a nix box. :) – Eddie B – 2015-08-07T18:38:18.697
Here is another way to approach this. Have a look here - http://alternativeto.net/software/tcpviews/
– Leptonator – 2015-08-07T19:01:28.040I was wonder if there is a CMD command which does it all – Royi Namir – 2014-01-26T16:13:17.213
Keep going - There is a command-line component of TCPView.. – Leptonator – 2014-01-26T16:14:27.020
oh ok. thought maybe someone already done it using for,find etc. – Royi Namir – 2014-01-26T16:15:00.550
It should not be too hard to do.. I would bet http://www.robvanderwoude.com has something on it. Per the TCPView Page - "The TCPView download includes Tcpvcon, a command-line version with the same functionality."
– Leptonator – 2014-01-26T16:16:29.2472
If you're fond of using PS, you can fork this code (note: it's super-basic)
$nets = netstat -ano | select-string LISTENING
foreach($n in $nets){
# make split easier PLUS make it a string instead of a match object:
$p = $n -replace ' +',' '
# make it an array:
$nar = $p.Split(' ')
# pick last item:
$pname = $(Get-Process -id $nar[-1]).ProcessName
$ppath = $(Get-Process -id $nar[-1]).Path
# print the modified line with processname instead of PID:
$n -replace "$($nar[-1])","$($ppath) $($pname)"
}
Note that you can try Path instead of ProcessName to get a full executable path - it won't work with system services though. Also, you may want to append the ProcessName to the end of the line instead of replacing the PID value.
Enjoy it ;)
Erik Bitemo
Posted 2014-01-26T16:07:42.660
Reputation: 21
2
Here is an example for windows using FOR to parse netstat output then DO tasklist with /fi filter on pid to show process name.
The last find is to remove tasklist headers.
FOR /F "usebackq tokens=5 delims= " %i IN (`netstat -ano ^|find "443"`) DO @tasklist /fi "pid eq %i" | find "%i"
prints records output like
tomcat8.exe.x64 4240 Services 0 931,864 K
Additional fields from netstat can be added by adding tokens.
mark
Posted 2014-01-26T16:07:42.660
Reputation: 121
Pros of this solution including: 1. using find to filter out ports (in contrast, although netstat -b can provide process name directly, but going through its output to search manually is painful and error-prone); 2. using Windows native commands only, that is more flexible and independent. – Yingyu YOU – 2016-08-09T05:31:50.067
1Possible improvement: 1. to use findstr with /R option instead of find to utilize regex for better searching; 2. to use :443 *[[0-9]" as the pattern to filter out local port only. The whole command could be FOR /F "usebackq tokens=5 delims= " %i IN (`netstat -ano ^|findstr /R /C:":443 *[[0-9]"`) DO @tasklist /fi "pid eq %i" | findstr "%i" – Yingyu YOU – 2016-08-09T05:55:22.443
@DavidPostill or @mark Could you clarify "Additional fields from netstat can be added by adding tokens."? – Yves Schelpe – 2017-02-02T10:06:49.560
1
Try to use this...
Process name with time stamp :) in oneliner... no need scripting fast and easy ...
You can change param SYN_SENT by ESTABLISHED or LISTENING
filter timestamp {"$(Get-Date -Format G): $_"};netstat -abno 1 | Select-String -Context 0,1 -Pattern LISTENING|timestamp
filter timestamp {"$(Get-Date -Format G): $_"};netstat -abno 1 | Select-String -Context 0,1 -Pattern SYN_SENT|timestamp
Jhon Willmaure
Posted 2014-01-26T16:07:42.660
Reputation: 11
I used this with a pattern on the ip:port I wanted to observe. Great snippet! – Alex – 2019-08-13T15:27:09.623
0
Very nice Erik Bitemo! I was thinking of adding a variable for the path then I realized you already have that although it was not defined. So the code I reused was:
$nets = netstat -ano |select-string LISTENING;
foreach ($n in $nets)
{
# make split easier PLUS make it a string instead of a match object
$p = $n -replace ' +',' ';
# make it an array
$nar = $p.Split(' ')
# pick last item...
$pname = $(Get-Process -id $nar[-1]).ProcessName
$ppath = $(Get-Process -id $nar[-1]).Path;
# print the modified line with processname instead of PID
$n -replace "$($nar[-1])","$($ppath) $($pname)" | where {$pname -like "*GMSVP*"}
}
I was trying to find the processes and services for an application where I used a somewhat different 2 liner.
Get-Service | select status,name,displayname,servicename | where {($_.DisplayName -like "myserv*") -or ($_.servicename -like "post*")} | ft -auto
Get-Process | select id, processname,cpu,path,description | where {$_.path -like "*myserv*"} | ft -auto
Ratan Mohapatra
Posted 2014-01-26T16:07:42.660
Reputation: 1
I edited Erik's question to include your fix, so if you wish, you could delete it from your answer and concentrate on your approach with GetService and Get-Process. – flolilo – 2017-10-07T13:17:46.840
netstat -b as admin, e.g. netstat -abon. And the name of the exe is below – barlop – 2016-05-13T05:03:23.357