How to Get a List of Active TCP Connections on Domain PCs

Author: Peter Barnett           Date: Nov 16, 2018


Network port numbers can provide critical information about applications that access computers over the network. Knowing the applications that use the network and the corresponding network ports, you can create precise rules for the firewall and configure the remote host computers so that they only allow useful traffic. Active TCP/IP ports on your endpoints can indicate potential malicious activity or exposure to cyber attacks. Getting a list of all active TCP connections on each TCP endpoint on your network is a great first step to understanding the attack surface, as well as locking down your network from future security incidents and ransomware. Information should include source and destination IP address and port, process info and other data. This manual describes some streamlined ways to create a list of active tcp connections on Windows operating systems. Also you will know how to with help of PowerShell get tcp connections.




Manually:

1. Execute WMI Query in ROOT\StandardCIMV2 Namespace:

   - Launch WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM MSFT_NetTCPConnection

2. Run This Simple Windows Powershell Script:

   - thru WMI object: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName

3. Use Following Code to Select Specific Columns:

   - execute: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, RemotePort, OwningProcess, PSComputerName

4. Sort the Results Using the Line Below:

   - invoke command: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, RemotePort, OwningProcess, PSComputerName | Sort-Object RemoteAddress

5. The Next Code Helps to Filter Results:

   - use it: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, RemotePort, OwningProcess, PSComputerName | Where-Object -FilterScript {$_.RemoteAddress -like "192.168.*"}

6. Save Results to CSV File:

   - run: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, RemotePort, OwningProcess, PSComputerName | Export-CSV "c:\file.csv" -Append -NoTypeInformation

7. The Next Step Is to Query Multiple Computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like 'Windows 10*'} | ForEach-Object {Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for Free:

  

Fully functional free edition for up to 10 endpoints with no expiration date. More details >

Step 2 - Type Your Question in Plain English:

How to get a list of active TCP connections on all domain computers with help of WMI query or Powershell script and save a list tcp connections in CSV file - search query

Step 3 - Set Filters, If Necessary:

How to get a list of active TCP connections on all domain computers with help of WMI query or Powershell script and save a list tcp connections in CSV file - set filters

Step 4 - See Results from All Endpoints in Seconds:

Endpoint NameLocal AddressProcess IdRemote Address
mac.widgets.local192.168.0.245:59343342223.100.122.175:443
fred.widgets.local192.168.0.213:592132342205.251.242.103:80
ray.widgets.local192.168.0.223:58144764396.43.145.26:3389



Action1 is a cloud-based platform for patch management, software deployment, software/hardware inventory, endpoint management and endpoint configuration reporting. It is free with basic functionality.

  

Fully functional free edition for up to 10 endpoints with no expiration date. More details >



Other Relevant How To Articles:

By continuing to use our website, you agree with our use of cookies in accordance with our Privacy Policy. You can reject cookies by changing your browser settings.     
Ok, got it