{"id":73881,"date":"2015-08-19T00:01:00","date_gmt":"2015-08-19T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/08\/19\/parsing-netstat-information-with-powershell-5\/"},"modified":"2019-02-18T09:35:35","modified_gmt":"2019-02-18T16:35:35","slug":"parsing-netstat-information-with-powershell-5","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/parsing-netstat-information-with-powershell-5\/","title":{"rendered":"Parsing NetStat Information with PowerShell 5"},"content":{"rendered":"

Summary<\/b>: Ed Wilson, Microsoft Scripting Guy, talks about parsing output from <\/span>NetStat<\/b> with Windows PowerShell 5.0.<\/span><\/p>\n

\"Hey, Hey, Scripting Guy! I need a good way to parse output from the NetStat<\/b> command. I use it all the time, but it ends up requiring me to spend a lot of time looking through stuff. I am not sure if the command itself has a filter language or what, but I really need to be able to parse on the fly.<\/p>\n

I have even gone so far as run the command, copy it to the clipboard, paste it into Notepad, and then go through the Notepad file adding characters so I could import it into Excel and filter the output. But obviously, that is a lot of work. I really need to be able to see stuff like what connections are open, closed, and suspended. Can you help me?<\/p>\n

—JK<\/p>\n

\"Hey, Hello JK,<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. It hasn’t started raining yet, but I am sure it will. I mean, summer in central Florida? There are two things one can count on: an afternoon thunder storm and humidity. Lots and lots of humidity. I am not sure what people did before air conditioning around here. Maybe they lived in St. Augustine where they could go to the beach every day.<\/p>\n

Anyway, just like I can count on a summer thunderstorm in central Florida, I can also count on the fact that I am going to have to parse text at some point. Luckily that task just took a giant leap towards simplicity with the new ConvertFrom-String<\/b> cmdlet in Windows PowerShell 5.0.<\/p>\n

JK, parsing output from NetStat<\/b> just got a whole lot easier. In the past, I have written complicated scripts to parse the output from NetStat<\/b>. I mean it was nearly 20 or so lines long, and it took me a couple of days to accomplish it—but in the end, I was able to output objects that permitted me to filter my output. It was worth it. But as of Windows PowerShell 5.0, the script is completely obsolete.<\/p>\n

Capture the output<\/h2>\n

The first thing I want to do is to capture the output from NetStat<\/b>. I like to store the results from the command into a variable because the output from NetStat<\/b> is always a bit slow appearing. By capturing the output into a variable, I can effectively work offline. This command is shown here:<\/p>\n

$a = netstat<\/p>\n

When I look at the output from the information stored in my variable, I can see that there are a couple of lines that I do not need:<\/p>\n

PS C:\\> $a<\/p>\n

Active Connections<\/p>\n

  Proto  Local Address          Foreign Address        State<\/p>\n

What I want is an easy way to skip the first few lines, but keep the remainder of the output. Luckily, I know exactly how many lines are in the variable—it is $a.count<\/b>. So, I create a range that skips the first few lines, and continues to the end of my data. This is shown here:<\/p>\n

PS C:\\> $a[3..$a.count]<\/p>\n

  Proto  Local Address          Foreign Address        State<\/p>\n

  TCP    192.168.0.2:56798      bn1wns2011304:https    ESTABLISHED<\/p>\n

  TCP    192.168.0.2:56852      bn1wns1011219:https    ESTABLISHED<\/p>\n

  TCP    192.168.0.2:57076      a184-27-27-179:https   ESTABLISHED<\/p>\n

  TCP    192.168.0.2:57080      a184-29-178-13:https   CLOSE_WAIT<\/p>\n

<truncated><\/p>\n

Now I need to convert the output to objects by using the ConvertFrom-String<\/b> cmdlet. By default, it will use spaces to create a property on the new object. This is great, because my output from NetStat<\/b> is delimited by spaces. But, when I look at my output, I see that there must be a leading space, so P1 is empty:<\/p>\n

PS C:\\> $a[3..$a.count] | ConvertFrom-String<\/p>\n

P1 :<\/p>\n

P2 : Proto<\/p>\n

P3 : Local<\/p>\n

P4 : Address<\/p>\n

P5 : Foreign<\/p>\n

P6 : Address<\/p>\n

P7 : State<\/p>\n

P1 :<\/p>\n

P2 : TCP<\/p>\n

P3 : 192.168.0.2:56798<\/p>\n

P4 : bn1wns2011304:https<\/p>\n

P5 : ESTABLISHED<\/p>\n

P1 :<\/p>\n

P2 : TCP<\/p>\n

P3 : 192.168.0.2:56852<\/p>\n

P4 : bn1wns1011219:https<\/p>\n

P5 : ESTABLISHED<\/p>\n

<truncated><\/p>\n

I simply use Select-Object<\/b> to select properties P2, P3, P4, and P5:<\/p>\n

$a[3..$a.count] | ConvertFrom-String | select p2,p3,p4,p5<\/p>\n

The output from the command is shown here:<\/p>\n

\"Image<\/a><\/p>\n

Now I can easily filter by any property value I want. For example, I can filter the output for connections that are established. As you can see here, I add where P5 –eq ‘established’<\/b>:<\/p>\n

$a[3..$a.count] | ConvertFrom-String | select p2,p3,p4,p5 | where p5 -eq 'established'<\/p>\n

The command and its output are shown here:<\/p>\n

\"Image<\/a><\/p>\n

I can look for things related to mail<\/b>:<\/p>\n

$a[3..$a.count] | ConvertFrom-String | select p2,p3,p4,p5 | where p4 -match 'mail'<\/p>\n

…or a specific part of an IP address, such as this command that finds IP addresses that begin with the number 23:<\/p>\n

$a[3..$a.count] | ConvertFrom-String | select p2,p3,p4,p5 | where p4 -match '^23'<\/p>\n

When I have my output from NetStat<\/b> converted into true objects, I can use the entire power of Windows PowerShell to search through the objects and find exactly what I need—and I can do it all in a series of one-liners. That truly is the power of PowerShell.<\/p>\n

JK, that is all there is to using ConvertFrom-String<\/b> to help parse NetStat<\/b> output. Join me tomorrow when I will talk about more way cool stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b> <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about parsing output from NetStat with Windows PowerShell 5.0.  Hey, Scripting Guy! I need a good way to parse output from the NetStat command. I use it all the time, but it ends up requiring me to spend a lot of time looking through stuff. I am not […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[609,3,21,608,45],"class_list":["post-73881","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-powershell-5","tag-scripting-guy","tag-string-manipulation","tag-windows-10","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about parsing output from NetStat with Windows PowerShell 5.0.  Hey, Scripting Guy! I need a good way to parse output from the NetStat command. I use it all the time, but it ends up requiring me to spend a lot of time looking through stuff. I am not […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/73881","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=73881"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/73881\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=73881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=73881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=73881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}