For some reason, I don’t like netstat. Never did. Fortunately PowerShell provides a similar command to netstat: Get-NetTCPConnection. Let’s discover the options of this command in form of this blog post.
Get-NetTCPConnection
Running without any parameter it gives you an overview of all TCP Connections. It will show you TCP Connections of all states (closed, waiting, listening, established …)
Get-NetTCPConnection
IPv4 only
To show only IPv4 Connections simply provide your Local IPv4 Address. It might be useful to sort on the Local Port:
Get-NetTCPConnection -LocalAddress 192.168.0.100 | Sort-Object LocalPort
IPv6 only
If you are lucky and your ISP provides you with IPv6 Adresses, then enter your IPv6 Global Unicast Address.
Get-NetTCPConnection -LocalAddress 2a02:8388:b01:3700:215:5dff:fe6f:a00 | Sort-Object LocalPort
Show established connections only
I guess the most important parameter is state. To show only established connections in a user-friendly view (Format-Table) run
Get-NetTCPConnection -State Established | Format-Table -AutoSize
Well, ok, we’ve seen in these first steps what Get-NetTCPConnection could do for us. Before we continue to the more advanced part of this post let’s compare the output to netstat.
As I’ve mentioned: The PowerShell cmdlet is my favourite.
Get-NetTCPConnection for Power Users
Resolving IP-Addresses
Do you know the IP of sid-500.com. Why not? 😉 If you don’t know the IP of my site how would you check if you are connected to it? Ok, sure there must be a connection because you’re reading my article. Well, if you know the hostname then run Resolve-DnsName to get the IP-Address!
Get-NetTCPConnection -RemoteAddress (Resolve-DnsName sid-500.com).IPAddress -ErrorAction SilentlyContinue | Format-List
Or get only the remote address.
For this it’s useful to use the Erroraction Parameter for avoiding ugly red error messages. Resolve-DNSName will give you 2 IPv4 Addresses of my site. But you are only connected to one of them. So you are not connected to the other one which causes the red lines.
Look at the following example. Microsoft has more than one Public IPv4 Address. I’m connected to only one of them. If you run this command with Erroraction silentlycontinue, you’ll see no red lines anymore.
Get TCP Connections on Remote Hosts
If you want to figure out the established TCP Connections on a remote host, simply use Invoke-Command. Note, that I’m logged on dc01. Server02 is the remote host. Both computers share the same domain.
Invoke-Command -ComputerName server02 {Get-NetTCPConnection -State Established}
Get TCP Connections from all Servers
To retrieve all established connections from all servers of your domain (all OUs!) and to save them all to a file, run
(Get-ADComputer -Filter 'operatingsystem -like "*server*"').Name | Foreach-Object {Invoke-Command -ComputerName $_ {Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue} | Sort-Object PSComputerName | Select-Object PSComputername, LocalPort, RemotePort, RemoteAddress} | Out-File C:\Temp\TCPConn.txt
That’s it for today. Hope you enjoyed it!
See also
For more about networking with PowerShell see also my articles
PowerShell: Use SSH to connect to remote hosts (Posh-SSH)
PowerShell: Check open/closed ports with Test-NetConnection
Categories: Cyber Security, PowerShell, Windows Server
My name is Patrick Gruenauer. From Austria.
SID-500.COM 
Thanks SIr. This is exactly what I was looking for. NEVER GOING BACK TO NETSTAT NOW 😀
LikeLike
Thank you!
LikeLike
Thanks very much for the great write up on this command
I use it now in conjunction with Get-Process to find out what exe is listening on a specific port – So like netstat -ab except awesomer
Get-NetTcpConnection -State Listen | sort LocalPort
Get-Process -Id (Get-NetTCPConnection -LocalPort YourPortNumberHere).OwningProcess
Get-process -name | fl -p Name, Product, Description, Path
LikeLiked by 1 person
Thank you!
LikeLike