preload
Radiation Meter Readings Adding Commas to Numbers in Ruby
Jun 03

Recently I decided that I needed a copy of an ‘fport’ program for Windows that would let me see what program was making connections out of my computer. Unfortunately, my Anti-Virus software warned me that the website where it is posted was on the known virus websites list, so I just decided to make my own.

I started looking around for a programatic way to do what the normal ‘netstat’ program does, but everything I found was rather involved…and since I didn’t want to spend a whole lot of time on it, I cheated and just used the output from the ‘netstat -ano’ command and then did a quick lookup of the returned PID to find the program.

The result is the following code:

#
#  fport.rb
#

require 'exo/iswindows'
require 'exo/texttable'
require 'win32ole'

if not RUBY_PLATFORM.isWindows?
   puts "This program only runs under Windows!"
   exit
end

tt = {
  "name" => ["Proto","Src","Dst","Status", "Pid", "Process"],
  "width"=> [5,23,23,12,6,50],
  "wordwrap"=> true
}
out = TextTable.new(tt)

wmi = WIN32OLE.connect("winmgmts:{impersonationLevel=impersonate}!//./root/cimv2")

ns = open "| netstat -aon"

ln = 0
ns.each_line do |l|
  if ln < 4    ## Skip the header
    ln += 1
    next
  end
  if not l[/127\.0\.0\.1/] and not l[/0\.0\.0\.0/] and not l[/\*\:\*/] and not l[/\[\:\:\]/] and not l[/TIME_WAIT/]
    aa = l.split(" ")
    if aa[4].to_i == 0
      aa[5] = "System Idle Process"
    end
    if aa[4].to_i == 4
      aa[5] = "SYSTEM"
    end
    if aa[4].to_i > 4
      ps = wmi.ExecQuery("Select * from Win32_Process Where ProcessId = #{aa[4]}")
      aa[5] = " "
      ps.each do |p|
        aa[5] = p.CommandLine.to_s
      end
    end
    puts out.printrow(aa)
  end
end
puts out.printLine()

The program uses my TextTable class from a previous post. It runs the ‘netstat -aon’ command and then filters out the localhost IPs and the wildcard LISTEN lines, since I was only interested in seeing what was currently connected. The output should looks something like this:

C:\John\Dev\Serv12\Ruby\Windows>ruby fport.rb
+======+========================+========================+=============+=======+===================================================+
| Proto| Src                    | Dst                    | Status      | Pid   | Process                                           |
+======+========================+========================+=============+=======+===================================================+
| TCP  | 10.100.145.27:2492     | xx.xx.xxx.xxx:2492     | ESTABLISHED | 4136  | "C:\Program Files\Microsoft Office\Office12\GROOVE|
|      |                        |                        |             |       | .EXE" -background                                 |
| TCP  | 10.100.145.27:2492     | xx.xx.xxx.xxx:2492     | ESTABLISHED | 4136  | "C:\Program Files\Microsoft Office\Office12\GROOVE|
|      |                        |                        |             |       | .EXE" -background                                 |
| TCP  | 10.100.145.27:2492     | xx.xx.xxx.xxx:2492     | ESTABLISHED | 4136  | "C:\Program Files\Microsoft Office\Office12\GROOVE|
|      |                        |                        |             |       | .EXE" -background                                 |
| TCP  | 10.100.145.27:49187    | 10.100.145.44:445      | ESTABLISHED | 4     | SYSTEM                                            |
| TCP  | 10.100.145.27:49188    | 10.100.145.42:445      | ESTABLISHED | 4     | SYSTEM                                            |
| TCP  | 10.100.145.27:49195    | 10.100.145.12:139      | ESTABLISHED | 4     | SYSTEM                                            |
| TCP  | 10.100.145.27:49199    | 10.100.145.14:445      | ESTABLISHED | 4     | SYSTEM                                            |
| TCP  | 10.100.145.27:49243    | xx.xx.xxx.xxx:443      | ESTABLISHED | 1144  | "C:\Program Files\Skype\Phone\Skype.exe" /nosplash|
|      |                        |                        |             |       |  /minimized                                       |
| TCP  | 10.100.145.27:49305    | x.xx.x.xx:443          | ESTABLISHED | 5280  | "C:\Program Files\VMware\VMware Player\vmplayer.ex|
|      |                        |                        |             |       | e" "C:\Users\John\Documents\Virtual Machines\Aster|
|      |                        |                        |             |       | iskNOW\AsteriskNOW.vmx"                           |
| TCP  | 10.100.145.27:49307    | xx.xx.xxx.xxx:80       | ESTABLISHED | 5294  | "C:\Program Files\VMware\VMware Player\vmplayer.ex|
|      |                        |                        |             |       | e" "C:\Users\John\Documents\Virtual Machines\DevSe|
|      |                        |                        |             |       | rver4\DevServer4.vmx"                             |
| TCP  | 10.100.145.27:49308    | x.xx.x.xx:443          | ESTABLISHED | 5325  | "C:\Program Files\VMware\VMware Player\vmplayer.ex|
|      |                        |                        |             |       | e" "C:\Users\John\Documents\Virtual Machines\RoRSe|
|      |                        |                        |             |       | v2\RoRSev2.vmx"                                   |
| TCP  | 10.100.145.27:49309    | x.xx.x.xx:443          | ESTABLISHED | 5325  | "C:\Program Files\VMware\VMware Player\vmplayer.ex|
|      |                        |                        |             |       | e" "C:\Users\John\Documents\Virtual Machines\RoRSe|
|      |                        |                        |             |       | v2\RoRSev2.vmx"                                   |
| TCP  | 10.100.145.27:49310    | x.xx.x.xx:443          | ESTABLISHED | 5325  | "C:\Program Files\VMware\VMware Player\vmplayer.ex|
|      |                        |                        |             |       | e" "C:\Users\John\Documents\Virtual Machines\RoRSe|
|      |                        |                        |             |       | v2\RoRSev2.vmx"                                   |
| TCP  | 10.100.145.27:49330    | xx.xx.xxx.xxx:80       | ESTABLISHED | 2988  | "C:\Program Files\CounterPath\X-Lite\x-lite.exe"  |
+------+------------------------+------------------------+-------------+-------+---------------------------------------------------+

I have removed some of the IP addresses just for safety sake, but you should get the idea of how it works.

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon

Leave a Reply