I’m trying to modify the netstat relevance to only return ESTABLISHED connections but can’t seem to get it quite right. I’m pretty sure I need to use “whose (it as string contains “ESTAB”)” or “whose (tcp state of it as string contains “ESTAB”)” but I’m not exactly sure where it goes.
( (if (tcp of it) then ("TCP") else ("UDP")), (if (ip version of it = ipv4) then (it as string) else ("[" & it as string & "]")) of local address of it & ":" & local port of it as string, (if (exists remote address of it) then (remote address of it as string & ":" & remote port of it as string) else ("*:*")), (if (exists tcp state of it) then (tcp state of it as string) else ("-")), (if (exists process of it and exists name of process of it) then (name of process of it) else ("-")) ) of sockets of network
I did it this way for RD…
if exists (sockets of network) whose ((local port of it = Value “PortNumber” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” of registry) and (tcp state of it as string = “ESTABLISHED”)) Then “Active” else “Not in use”
and then another…
unique values of (remote addresses of (sockets of network) whose ((local port of it = Value “PortNumber” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” of registry) and (tcp state of it as string= “ESTABLISHED”)))
Thanks for that @Pete_F - however I need a cross platform solution which I think the given relevance will be, once I can filter for only established connections.
(( (if (tcp of it) then ("TCP") else ("UDP")), (if (ip version of it = ipv4) then (it as string) else ("[" & it as string & "]")) of local address of it & ":" & local port of it as string, ((remote address of it as string | "*") & ":" & (remote port of it as string |"*:*")), tcp state of it as string|"-", name of process of it|"-" )) of sockets whose ( established of tcp state of it) of network