Recently I decided that I needed a copy of an ‘fport’ program for Windows that would let me see what program was making connections out of my computer. Unfortunately, my Anti-Virus software warned me that the website where it is posted was on the known virus websites list, so I just decided to make my own.
I started looking around for a programatic way to do what the normal ‘netstat’ program does, but everything I found was rather involved…and since I didn’t want to spend a whole lot of time on it, I cheated and just used the output from the ‘netstat -ano’ command and then did a quick lookup of the returned PID to find the program.
The result is the following code:
#
# fport.rb
#
require 'exo/iswindows'
require 'exo/texttable'
require 'win32ole'
if not RUBY_PLATFORM.isWindows?
puts "This program only runs under Windows!"
exit
end
tt = {
"name" => ["Proto","Src","Dst","Status", "Pid", "Process"],
"width"=> [5,23,23,12,6,50],
"wordwrap"=> true
}
out = TextTable.new(tt)
wmi = WIN32OLE.connect("winmgmts:{impersonationLevel=impersonate}!//./root/cimv2")
ns = open "| netstat -aon"
ln = 0
ns.each_line do |l|
if ln < 4 ## Skip the header
ln += 1
next
end
if not l[/127\.0\.0\.1/] and not l[/0\.0\.0\.0/] and not l[/\*\:\*/] and not l[/\[\:\:\]/] and not l[/TIME_WAIT/]
aa = l.split(" ")
if aa[4].to_i == 0
aa[5] = "System Idle Process"
end
if aa[4].to_i == 4
aa[5] = "SYSTEM"
end
if aa[4].to_i > 4
ps = wmi.ExecQuery("Select * from Win32_Process Where ProcessId = #{aa[4]}")
aa[5] = " "
ps.each do |p|
aa[5] = p.CommandLine.to_s
end
end
puts out.printrow(aa)
end
end
puts out.printLine()
The program uses my TextTable class from a previous post. It runs the ‘netstat -aon’ command and then filters out the localhost IPs and the wildcard LISTEN lines, since I was only interested in seeing what was currently connected. The output should looks something like this:
C:\John\Dev\Serv12\Ruby\Windows>ruby fport.rb +======+========================+========================+=============+=======+===================================================+ | Proto| Src | Dst | Status | Pid | Process | +======+========================+========================+=============+=======+===================================================+ | TCP | 10.100.145.27:2492 | xx.xx.xxx.xxx:2492 | ESTABLISHED | 4136 | "C:\Program Files\Microsoft Office\Office12\GROOVE| | | | | | | .EXE" -background | | TCP | 10.100.145.27:2492 | xx.xx.xxx.xxx:2492 | ESTABLISHED | 4136 | "C:\Program Files\Microsoft Office\Office12\GROOVE| | | | | | | .EXE" -background | | TCP | 10.100.145.27:2492 | xx.xx.xxx.xxx:2492 | ESTABLISHED | 4136 | "C:\Program Files\Microsoft Office\Office12\GROOVE| | | | | | | .EXE" -background | | TCP | 10.100.145.27:49187 | 10.100.145.44:445 | ESTABLISHED | 4 | SYSTEM | | TCP | 10.100.145.27:49188 | 10.100.145.42:445 | ESTABLISHED | 4 | SYSTEM | | TCP | 10.100.145.27:49195 | 10.100.145.12:139 | ESTABLISHED | 4 | SYSTEM | | TCP | 10.100.145.27:49199 | 10.100.145.14:445 | ESTABLISHED | 4 | SYSTEM | | TCP | 10.100.145.27:49243 | xx.xx.xxx.xxx:443 | ESTABLISHED | 1144 | "C:\Program Files\Skype\Phone\Skype.exe" /nosplash| | | | | | | /minimized | | TCP | 10.100.145.27:49305 | x.xx.x.xx:443 | ESTABLISHED | 5280 | "C:\Program Files\VMware\VMware Player\vmplayer.ex| | | | | | | e" "C:\Users\John\Documents\Virtual Machines\Aster| | | | | | | iskNOW\AsteriskNOW.vmx" | | TCP | 10.100.145.27:49307 | xx.xx.xxx.xxx:80 | ESTABLISHED | 5294 | "C:\Program Files\VMware\VMware Player\vmplayer.ex| | | | | | | e" "C:\Users\John\Documents\Virtual Machines\DevSe| | | | | | | rver4\DevServer4.vmx" | | TCP | 10.100.145.27:49308 | x.xx.x.xx:443 | ESTABLISHED | 5325 | "C:\Program Files\VMware\VMware Player\vmplayer.ex| | | | | | | e" "C:\Users\John\Documents\Virtual Machines\RoRSe| | | | | | | v2\RoRSev2.vmx" | | TCP | 10.100.145.27:49309 | x.xx.x.xx:443 | ESTABLISHED | 5325 | "C:\Program Files\VMware\VMware Player\vmplayer.ex| | | | | | | e" "C:\Users\John\Documents\Virtual Machines\RoRSe| | | | | | | v2\RoRSev2.vmx" | | TCP | 10.100.145.27:49310 | x.xx.x.xx:443 | ESTABLISHED | 5325 | "C:\Program Files\VMware\VMware Player\vmplayer.ex| | | | | | | e" "C:\Users\John\Documents\Virtual Machines\RoRSe| | | | | | | v2\RoRSev2.vmx" | | TCP | 10.100.145.27:49330 | xx.xx.xxx.xxx:80 | ESTABLISHED | 2988 | "C:\Program Files\CounterPath\X-Lite\x-lite.exe" | +------+------------------------+------------------------+-------------+-------+---------------------------------------------------+
I have removed some of the IP addresses just for safety sake, but you should get the idea of how it works.
