Netstat established connections only

I’m trying to modify the netstat relevance to only return ESTABLISHED connections but can’t seem to get it quite right. I’m pretty sure I need to use “whose (it as string contains “ESTAB”)” or “whose (tcp state of it as string contains “ESTAB”)” but I’m not exactly sure where it goes.

( (if (tcp of it) then ("TCP") else ("UDP")), (if (ip version of it = ipv4) then (it as string) else ("[" & it as string & "]")) of local address of it & ":" & local port of it as string, (if (exists remote address of it) then (remote address of it as string & ":" & remote port of it as string) else ("*:*")), (if (exists tcp state of it) then (tcp state of it as string) else ("-")), (if (exists process of it and exists name of process of it) then (name of process of it) else ("-")) ) of sockets of network

Any help?

I did it this way for RD…
if exists (sockets of network) whose ((local port of it = Value “PortNumber” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” of registry) and (tcp state of it as string = “ESTABLISHED”)) Then “Active” else “Not in use”

and then another…

unique values of (remote addresses of (sockets of network) whose ((local port of it = Value “PortNumber” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” of registry) and (tcp state of it as string= “ESTABLISHED”)))

Thanks for that @Pete_F - however I need a cross platform solution which I think the given relevance will be, once I can filter for only established connections.

You can simplify this a lot at least

(( (if (tcp of it) then ("TCP") else ("UDP")), (if (ip version of it = ipv4) then (it as string) else ("[" & it as string & "]")) of local address of it & ":" & local port of it as string, ((remote address of it as string | "*")  & ":" & (remote port of it as string |"*:*")), tcp state of it as string|"-", name of process of it|"-" )) of sockets whose ( established of tcp state of it) of network 

This works on my Mac

1 Like

Thanks @AlanM that’s exactly what I was looking for. It works on my *NIX servers and Windows servers.