[windows] netstat 상태 로그 저장하기

SYSTEM/Windows / /
반응형

침해사고 서버를 분석 하다보면 간혹 Windows OS 네트워크 연결 세션 ESTABLISHED 에 대하여
지속적으로 체크하여 로그 형태로 남겨야할 상황이 필요할때가 있다

간단하게 배치파일로 만들어서 사용하면 나름 업무에 유용하게 쓸수 있다.


netstat-check.bat
0.00MB

 

netstat 상태 10초마다 로그 파일 남기기



@echo off
:_loop

echo %time% ###############################################   >> %cd%%COMPUTERNAME%_conn.txt
netstat -nao | findstr "ESTABLISHED" >> %cd%%COMPUTERNAME%_conn.txt
powershell sleep 2

goto _loop



 

저장된 로그 형태

17:14:07.36 ###############################################   
  TCP    10.1xx.xx.63:49750     10.xx.xx.11.53:8443     ESTABLISHED     4940
  TCP    10.1xx.xx.63:49909     10.xx.xx.210:1234       ESTABLISHED     16460
  TCP    10.1xx.xx.63:49946     10.xx.xx.12.11:5548     ESTABLISHED     16460
  TCP    10.1xx.xx.63:49952     211xx.xx.13.15:11887    ESTABLISHED     16952
  TCP    10.1xx.xx.63:49992     1.2xx.xx.7.32:20222     ESTABLISHED     5572
  TCP    10.1xx.xx.63:49995     1.2xx.xx.7.32:20222     ESTABLISHED     6996
  TCP    10.1xx.xx.63:53392     1.2xx.xx.7.31:2022      ESTABLISHED     3708
  TCP    127.0.0.1:49695        127.0.0.1:49696        ESTABLISHED     5072
  TCP    127.0.0.1:49696        127.0.0.1:49695        ESTABLISHED     5072
  TCP    127.0.0.1:49745        127.0.0.1:49746        ESTABLISHED     4940
  TCP    127.0.0.1:49746        127.0.0.1:49745        ESTABLISHED     4940
  TCP    127.0.0.1:49748        127.0.0.1:49749        ESTABLISHED     4940
  TCP    127.0.0.1:49749        127.0.0.1:49748        ESTABLISHED     4940
  TCP    127.0.0.1:49846        127.0.0.1:49847        ESTABLISHED     5072
  TCP    127.0.0.1:49847        127.0.0.1:49846        ESTABLISHED     5072
  TCP    127.0.0.1:50134        127.0.0.1:50135        ESTABLISHED     5072
  TCP    127.0.0.1:50135        127.0.0.1:50134        ESTABLISHED     5072
  TCP    127.0.0.1:54760        127.0.0.1:54762        ESTABLISHED     17412
  TCP    127.0.0.1:54762        127.0.0.1:54760        ESTABLISHED     17412
17:14:22.42 ###############################################   
  TCP    10.1xx.xx.63:49750     10.100.xx.53:8443     ESTABLISHED     4940
  TCP    10.1xx.xx.63:49909     10.xx.1.210:1234       ESTABLISHED     16460
  TCP    10.1xx.xx.63:49946     10.100.112.11:5548     ESTABLISHED     16460
  TCP    10.1xx.xx.63:49952     211.xx.213.xx:11887    ESTABLISHED     16952
  TCP    10.1xx.xx.63:49992     1.224.xx.32:20222     ESTABLISHED     5572
  TCP    127.0.0.1:49695        127.0.0.1:49696        ESTABLISHED     5072
  TCP    127.0.0.1:49696        127.0.0.1:49695        ESTABLISHED     5072
  TCP    127.0.0.1:49745        127.0.0.1:49746        ESTABLISHED     4940
  TCP    127.0.0.1:49746        127.0.0.1:49745        ESTABLISHED     4940
  TCP    127.0.0.1:49748        127.0.0.1:49749        ESTABLISHED     4940
  TCP    127.0.0.1:49749        127.0.0.1:49748        ESTABLISHED     4940
  TCP    127.0.0.1:49846        127.0.0.1:49847        ESTABLISHED     5072
  TCP    127.0.0.1:49847        127.0.0.1:49846        ESTABLISHED     5072
  TCP    127.0.0.1:50134        127.0.0.1:50135        ESTABLISHED     5072
  TCP    127.0.0.1:50135        127.0.0.1:50134        ESTABLISHED     5072
  TCP    127.0.0.1:54760        127.0.0.1:54762        ESTABLISHED     17412

 

 

반응형
저작자표시 비영리 변경금지
  • 네이버 블러그 공유하기
  • 네이버 밴드에 공유하기
  • 페이스북 공유하기
  • 카카오스토리 공유하기

티스토리툴바