How to log network activity of tested applications


Task: report which ports are used by applications you test.

Requirements: 1. specify applications by file name (i.e., the name of the corresponding process)

2. to be able to start and stop measurements at the given time

3. the tool should support only relatively contemporary operation systems

Solution: a PowerShell script that logs the TCP protocol stack state by using the embedded netstat utility as a data source.

Details: the following script does what is required:

#######################################################################################################################
# File:             LogPortsUsedByApplication.ps1                                                                     #
# Version:          1.1                                                                                               #
# Author:           Alexander Petrovskiy                                                                              #
# Publisher:        Alexander Petrovskiy, SoftwareTestingUsingPowerShell.WordPress.Com                                #
# Copyright:        © 2011 Alexander Petrovskiy, SoftwareTestingUsingPowerShell.WordPress.Com. All rights reserved.   #
# Usage:            This scripts collects network connections information in two ways,                                #
#                   using the netstat -ao command to display hostnames and                                            #
#                        .\LogPortsUsedByApplication.ps1 $false                                                       #
#                   using the netstat -ano command to provide only addresses                                          #
#                        .\LogPortsUsedByApplication.ps1 $true                                                        #
#                   or                                                                                                #
#                        .\LogPortsUsedByApplication.ps1                                                              #
#                   Please provide feedback in the SoftwareTestingUsingPowerShell.WordPress.Com blog.                 #
#######################################################################################################################
param(
	  [bool]$Numeric = $true
	 )

cls
Set-StrictMode -Version Latest

#region user settings
# type below anything that will be used further in the following command:
# (Get-Process $applications[$i]).Id.ToString()
[String[]]$applications = @(
							"ServiceName",
							"GUIApplicationName",
							"UtilityName"
							);
# type here anything that you need to extract as a string
# i.e. hostname, IP address, port number or any their combination
[String[]]$hosts = @(
							"hostname",
							"192.168.1.1",
							"192.168.100.100",
							"hostname.dnszone.com"
							);
#region user settings
#region logs preparation
[string]$netstatParameters = "";
[string]$logfileFull = "";
[string]$logfileSelected = "";
[string]$logfileSqueezed = "";
if ($Numeric){
	$logfileFull = "$($Env:USERPROFILE)\$($Env:COMPUTERNAME)_netstat_fullN.txt";
	$logfileSelected = "$($Env:USERPROFILE)\$($Env:COMPUTERNAME)_netstat_selectedN.txt";
	$logfileSqueezed = "$($Env:USERPROFILE)\$($Env:COMPUTERNAME)_netstat_squeezedN.txt";
	$netstatParameters = "-ano";}
else {
	$logfileFull = "$($Env:USERPROFILE)\$($Env:COMPUTERNAME)_netstat_full.txt";
	$logfileSelected = "$($Env:USERPROFILE)\$($Env:COMPUTERNAME)_netstat_selected.txt";
	$logfileSqueezed = "$($Env:USERPROFILE)\$($Env:COMPUTERNAME)_netstat_squeezed.txt";
	$netstatParameters = "-ao";}
Remove-Item -Path $logfileFull -Force -ErrorAction:SilentlyContinue;
Remove-Item -Path $logfileSelected -Force -ErrorAction:SilentlyContinue;
Remove-Item -Path $logfileSqueezed -Force -ErrorAction:SilentlyContinue;

$recordsDict =
	new-object "System.Collections.Generic.Dictionary``2[[System.String, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]";
[String[]]$whatToSearch = $applications + $hosts;
[string]$hostname = $Env:COMPUTERNAME + "`t";
#endregion logs preparation

#region functions
	#region function Get-CurrentTime
function Get-CurrentTime
	<#
		.SYNOPSIS
			The Get-CurrentTime function is used to write in the timestamp in the log file.

		.DESCRIPTION
			The Get-CurrentTime functions is used for getting the current time of operation.
			As s time source used [System.DateTime]::Now.TimeOfDay property.

		.EXAMPLE
			PS C:\> Get-CurrentTime

		.OUTPUTS
			System.String
	#>
{	$timeOfDay = [System.DateTime]::Now.TimeOfDay;
	$time = "$($timeOfDay.Hours):$($timeOfDay.Minutes):$($timeOfDay.Seconds)`t";
	return $time;}
	#endregion function Get-CurrentTime
#endregion functions

[bool]$updateReport = $false;
netstat "$($netstatParameters)" 1 | `
 	%{
		if ($_.Length -gt 0){
			[string]$currentTime = Get-CurrentTime + "`t";
			"$($hostname)$($currentTime)*`t$($_)" >> $logfileFull;
			for ($private:i = 0; $private:i -lt $applications.Length; $private:i++)
			{
				if ((Get-Process $applications[$private:i] -ErrorAction:SilentlyContinue) -ne $null)
				{
					if ($_.Contains((Get-Process $applications[$private:i]).Id.ToString()))
					{
						"$($hostname)$($currentTime)$($applications[$private:i])`t$($_)" >> $logfileSelected;
						try{
							$recordsDict.Add("$($hostname)`t$($applications[$private:i])`t$($_)", "");
							$updateReport = $true
							} catch{}
					}
				}
			}
			for ($private:i = 0; $private:i -lt $hosts.Length; $private:i++)
			{
				if ($_.Contains($hosts[$private:i]))
				{
					[string]$activityMarker = $_;
					if ($activityMarker -match "(?<=[\x20])[\d]+?$")
					{
						try{
							$activityMarker = (Get-Process -Id $matches[0] -ErrorAction:SilentlyContinue).ProcessName;
						}catch{}}
					else{$activityMarker = $hosts[$private:i];}
					"$($hostname)$($currentTime)$($activityMarker)`t$($_)" >> $logfileSelected;
					try{
						$recordsDict.Add("$($hostname)`t$($activityMarker)`t$($_)", "");
						$updateReport = $true
						} catch{}
				}
			}
			if ($updateReport){
				# re-write the squeezed report
				Remove-Item -Path "$($logfileSqueezed)_previous" `
					-Force -ErrorAction:SilentlyContinue;
				Copy-Item -Path $logfileSqueezed -Destination "$($logfileSqueezed)_previous"
				Remove-Item -Path $logfileSqueezed -Force -ErrorAction:SilentlyContinue;
				foreach($key in $recordsDict.Keys)
				{
					"$($key)" >> $logfileSqueezed;
				}
				$updateReport = $false
			}
		}
	}

The script is also posted at poshcode.org and at right in the box.net.

Typical output for the numeric mode is as follows:

1-C01FBB6EDD634		svchost	  TCP    10.30.39.165:135       10.30.37.71:2917       ESTABLISHED     1224
1-C01FBB6EDD634		System	  TCP    10.30.39.165:139       0.0.0.0:0              LISTENING       4
1-C01FBB6EDD634		System	  TCP    10.30.39.165:1167      10.30.39.226:139       ESTABLISHED     4
1-C01FBB6EDD634		svchost	  UDP    10.30.39.165:123       *:*                                    1372
1-C01FBB6EDD634		System	  UDP    10.30.39.165:137       *:*                                    4
1-C01FBB6EDD634		System	  UDP    10.30.39.165:138       *:*                                    4
1-C01FBB6EDD634		svchost	  UDP    10.30.39.165:1900      *:*                                    1632
1-C01FBB6EDD634		System	  TCP    10.30.39.165:445       10.30.39.226:60877     ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    10.30.39.165:1280      10.30.39.226:445       ESTABLISHED     4
1-C01FBB6EDD634		lsass	  TCP    10.30.39.165:1283      10.30.46.189:135       ESTABLISHED     940
1-C01FBB6EDD634		lsass	  TCP    10.30.39.165:1284      10.30.46.189:49157     ESTABLISHED     940
1-C01FBB6EDD634		Idle	  TCP    10.30.39.165:1283      10.30.46.189:135       TIME_WAIT       0
1-C01FBB6EDD634		Idle	  TCP    10.30.39.165:1284      10.30.46.189:49157     TIME_WAIT       0
1-C01FBB6EDD634		System	  TCP    10.30.39.165:1286      10.30.39.226:445       ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    10.30.39.165:1288      10.30.39.226:445       ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    10.30.39.165:1290      10.30.39.226:445       ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    10.30.39.165:1292      10.30.46.189:445       ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    10.30.39.165:1294      10.30.39.226:445       ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    10.30.39.165:1296      10.30.39.226:445       ESTABLISHED     4
1-C01FBB6EDD634		lsass	  TCP    10.30.39.165:1298      10.30.46.189:135       ESTABLISHED     940
1-C01FBB6EDD634		lsass	  TCP    10.30.39.165:1299      10.30.46.189:49157     ESTABLISHED     940
1-C01FBB6EDD634		lsass	  TCP    10.30.39.165:1301      10.30.46.189:49157     ESTABLISHED     940
1-C01FBB6EDD634		Idle	  TCP    10.30.39.165:1298      10.30.46.189:135       TIME_WAIT       0
1-C01FBB6EDD634		Idle	  TCP    10.30.39.165:1301      10.30.46.189:49157     TIME_WAIT       0
1-C01FBB6EDD634		winlogon	  TCP    10.30.39.165:1302      10.30.46.189:389       ESTABLISHED     884
1-C01FBB6EDD634		winlogon	  TCP    10.30.39.165:1303      10.30.46.189:389       ESTABLISHED     884
1-C01FBB6EDD634		Idle	  TCP    10.30.39.165:1299      10.30.46.189:49157     TIME_WAIT       0
1-C01FBB6EDD634		System	  TCP    10.30.39.165:1304      10.30.46.189:445       ESTABLISHED     4
The non-numeric mode (i.e., netstat -ao) output is below:
1-C01FBB6EDD634		inetinfo	  TCP    1-C01FBB6EDD634:ftp    1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       1152
1-C01FBB6EDD634		inetinfo	  TCP    1-C01FBB6EDD634:smtp   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       1152
1-C01FBB6EDD634		inetinfo	  TCP    1-C01FBB6EDD634:http   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       1152
1-C01FBB6EDD634		svchost	  TCP    1-C01FBB6EDD634:epmap  1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       1224
1-C01FBB6EDD634		inetinfo	  TCP    1-C01FBB6EDD634:https  1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       1152
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:microsoft-ds  1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       4
1-C01FBB6EDD634		inetinfo	  TCP    1-C01FBB6EDD634:1044   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       1152
1-C01FBB6EDD634		mqsvc	  TCP    1-C01FBB6EDD634:1060   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       2096
1-C01FBB6EDD634		mqsvc	  TCP    1-C01FBB6EDD634:1801   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       2096
1-C01FBB6EDD634		mqsvc	  TCP    1-C01FBB6EDD634:2103   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       2096
1-C01FBB6EDD634		mqsvc	  TCP    1-C01FBB6EDD634:2105   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       2096
1-C01FBB6EDD634		mqsvc	  TCP    1-C01FBB6EDD634:2107   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       2096
1-C01FBB6EDD634		svchost	  TCP    1-C01FBB6EDD634:3389   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       1136
1-C01FBB6EDD634		svchost	  TCP    1-C01FBB6EDD634:epmap  10.30.37.71:2917       ESTABLISHED     1224
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:netbios-ssn  1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       4
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:1167   shuran-rum2.source100plus.spb.qsft:netbios-ssn  ESTABLISHED     4
1-C01FBB6EDD634		alg	  TCP    1-C01FBB6EDD634:1098   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       3852
1-C01FBB6EDD634		ccApp	  TCP    1-C01FBB6EDD634:1099   1-C01FBB6EDD634.Source100Plus.spb.qsft:0  LISTENING       1800
1-C01FBB6EDD634		snmp	  UDP    1-C01FBB6EDD634:snmp   *:*                                    1336
1-C01FBB6EDD634		System	  UDP    1-C01FBB6EDD634:microsoft-ds  *:*                                    4
1-C01FBB6EDD634		lsass	  UDP    1-C01FBB6EDD634:isakmp  *:*                                    940
1-C01FBB6EDD634		svchost	  UDP    1-C01FBB6EDD634:1025   *:*                                    1524
1-C01FBB6EDD634		svchost	  UDP    1-C01FBB6EDD634:1026   *:*                                    1524
1-C01FBB6EDD634		svchost	  UDP    1-C01FBB6EDD634:1027   *:*                                    1524
1-C01FBB6EDD634		mqsvc	  UDP    1-C01FBB6EDD634:1059   *:*                                    2096
1-C01FBB6EDD634		inetinfo	  UDP    1-C01FBB6EDD634:3456   *:*                                    1152
1-C01FBB6EDD634		mqsvc	  UDP    1-C01FBB6EDD634:3527   *:*                                    2096
1-C01FBB6EDD634		lsass	  UDP    1-C01FBB6EDD634:4500   *:*                                    940
1-C01FBB6EDD634		svchost	  UDP    1-C01FBB6EDD634:ntp    *:*                                    1372
1-C01FBB6EDD634		System	  UDP    1-C01FBB6EDD634:netbios-ns  *:*                                    4
1-C01FBB6EDD634		System	  UDP    1-C01FBB6EDD634:netbios-dgm  *:*                                    4
1-C01FBB6EDD634		svchost	  UDP    1-C01FBB6EDD634:1900   *:*                                    1632
1-C01FBB6EDD634		lsass	  UDP    1-C01FBB6EDD634:1028   *:*                                    940
1-C01FBB6EDD634		mqsvc	  UDP    1-C01FBB6EDD634:1061   *:*                                    2096
1-C01FBB6EDD634		winlogon	  UDP    1-C01FBB6EDD634:1079   *:*                                    884
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:microsoft-ds  shuran-rum2.source100plus.spb.qsft:60877  ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:1280   shuran-rum2.source100plus.spb.qsft:microsoft-ds  ESTABLISHED     4
1-C01FBB6EDD634		lsass	  TCP    1-C01FBB6EDD634:1283   win-i1goilphvd8.source100plus.spb.qsft:epmap  ESTABLISHED     940
1-C01FBB6EDD634		lsass	  TCP    1-C01FBB6EDD634:1284   win-i1goilphvd8.source100plus.spb.qsft:49157  ESTABLISHED     940
1-C01FBB6EDD634		Idle	  TCP    1-C01FBB6EDD634:1283   win-i1goilphvd8.source100plus.spb.qsft:epmap  TIME_WAIT       0
1-C01FBB6EDD634		Idle	  TCP    1-C01FBB6EDD634:1284   win-i1goilphvd8.source100plus.spb.qsft:49157  TIME_WAIT       0
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:1286   shuran-rum2.source100plus.spb.qsft:microsoft-ds  ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:1288   shuran-rum2.source100plus.spb.qsft:microsoft-ds  ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:1290   shuran-rum2.source100plus.spb.qsft:microsoft-ds  ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:1292   win-i1goilphvd8.source100plus.spb.qsft:microsoft-ds  ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:1294   shuran-rum2.source100plus.spb.qsft:microsoft-ds  ESTABLISHED     4
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:1296   shuran-rum2.source100plus.spb.qsft:microsoft-ds  ESTABLISHED     4
1-C01FBB6EDD634		lsass	  TCP    1-C01FBB6EDD634:1298   win-i1goilphvd8.source100plus.spb.qsft:epmap  ESTABLISHED     940
1-C01FBB6EDD634		lsass	  TCP    1-C01FBB6EDD634:1299   win-i1goilphvd8.source100plus.spb.qsft:49157  ESTABLISHED     940
1-C01FBB6EDD634		lsass	  TCP    1-C01FBB6EDD634:1301   win-i1goilphvd8.source100plus.spb.qsft:49157  ESTABLISHED     940
1-C01FBB6EDD634		Idle	  TCP    1-C01FBB6EDD634:1298   win-i1goilphvd8.source100plus.spb.qsft:epmap  TIME_WAIT       0
1-C01FBB6EDD634		Idle	  TCP    1-C01FBB6EDD634:1301   win-i1goilphvd8.source100plus.spb.qsft:49157  TIME_WAIT       0
1-C01FBB6EDD634		winlogon	  TCP    1-C01FBB6EDD634:1302   win-i1goilphvd8.source100plus.spb.qsft:ldap  ESTABLISHED     884
1-C01FBB6EDD634		winlogon	  TCP    1-C01FBB6EDD634:1303   win-i1goilphvd8.source100plus.spb.qsft:ldap  ESTABLISHED     884
1-C01FBB6EDD634		Idle	  TCP    1-C01FBB6EDD634:1299   win-i1goilphvd8.source100plus.spb.qsft:49157  TIME_WAIT       0
1-C01FBB6EDD634		System	  TCP    1-C01FBB6EDD634:1304   win-i1goilphvd8.source100plus.spb.qsft:microsoft-ds  ESTABLISHED     4
In both cases pid (parameter -o of netstat) is resolved in the corresponding process name.
Advertisements

2 responses

    1. Thank you for the comment, all links and e-mails changed to ours…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: