윈도우 netstat 상태 로그 저장하기

Posted on by Daniel J.

보안침해사고 서버를 분석 하다보면 간혹 Windows OS 네트워크 연결 세션 ESTABLISHED 에 대하여 지속적으로 체크하여 로그 형태로 남겨야할 상황이 필요할때가 있다 간단하게 배치파일로 만들어서 사용하면 나름 업무에 유용하게 쓸수 있다.

배치파일 다운로드: https://blog.kakaocdn.net/dn/x4icL/btrw2NVjZky/82EBWImjNLCxKjmJJIAN9k/netstat-check.bat?attach=1&knm=tfile.bat

netstat 상태 10초마다 로그 파일 남기기

@echo off
:_loop

echo %time% ###############################################   >> %cd%%COMPUTERNAME%_conn.txt
netstat -nao | findstr "ESTABLISHED" >> %cd%%COMPUTERNAME%_conn.txt
powershell sleep 2

goto _loop

저장된 로그 형태

17:14:07.36 ###############################################   
  TCP    10.1xx.xx.63:49750     10.xx.xx.11.53:8443     ESTABLISHED     4940
  TCP    10.1xx.xx.63:49909     10.xx.xx.210:1234       ESTABLISHED     16460
  TCP    10.1xx.xx.63:49946     10.xx.xx.12.11:5548     ESTABLISHED     16460
  TCP    10.1xx.xx.63:49952     211xx.xx.13.15:11887    ESTABLISHED     16952
  TCP    10.1xx.xx.63:49992     1.2xx.xx.7.32:20222     ESTABLISHED     5572
  TCP    10.1xx.xx.63:49995     1.2xx.xx.7.32:20222     ESTABLISHED     6996
  TCP    10.1xx.xx.63:53392     1.2xx.xx.7.31:2022      ESTABLISHED     3708
  TCP    127.0.0.1:49695        127.0.0.1:49696        ESTABLISHED     5072
  TCP    127.0.0.1:49696        127.0.0.1:49695        ESTABLISHED     5072
  TCP    127.0.0.1:49745        127.0.0.1:49746        ESTABLISHED     4940
  TCP    127.0.0.1:49746        127.0.0.1:49745        ESTABLISHED     4940
  TCP    127.0.0.1:49748        127.0.0.1:49749        ESTABLISHED     4940
  TCP    127.0.0.1:49749        127.0.0.1:49748        ESTABLISHED     4940
  TCP    127.0.0.1:49846        127.0.0.1:49847        ESTABLISHED     5072
  TCP    127.0.0.1:49847        127.0.0.1:49846        ESTABLISHED     5072
  TCP    127.0.0.1:50134        127.0.0.1:50135        ESTABLISHED     5072
  TCP    127.0.0.1:50135        127.0.0.1:50134        ESTABLISHED     5072
  TCP    127.0.0.1:54760        127.0.0.1:54762        ESTABLISHED     17412
  TCP    127.0.0.1:54762        127.0.0.1:54760        ESTABLISHED     17412
17:14:22.42 ###############################################   
  TCP    10.1xx.xx.63:49750     10.100.xx.53:8443     ESTABLISHED     4940
  TCP    10.1xx.xx.63:49909     10.xx.1.210:1234       ESTABLISHED     16460
  TCP    10.1xx.xx.63:49946     10.100.112.11:5548     ESTABLISHED     16460
  TCP    10.1xx.xx.63:49952     211.xx.213.xx:11887    ESTABLISHED     16952
  TCP    10.1xx.xx.63:49992     1.224.xx.32:20222     ESTABLISHED     5572
  TCP    127.0.0.1:49695        127.0.0.1:49696        ESTABLISHED     5072
  TCP    127.0.0.1:49696        127.0.0.1:49695        ESTABLISHED     5072
  TCP    127.0.0.1:49745        127.0.0.1:49746        ESTABLISHED     4940
  TCP    127.0.0.1:49746        127.0.0.1:49745        ESTABLISHED     4940
  TCP    127.0.0.1:49748        127.0.0.1:49749        ESTABLISHED     4940
  TCP    127.0.0.1:49749        127.0.0.1:49748        ESTABLISHED     4940
  TCP    127.0.0.1:49846        127.0.0.1:49847        ESTABLISHED     5072
  TCP    127.0.0.1:49847        127.0.0.1:49846        ESTABLISHED     5072
  TCP    127.0.0.1:50134        127.0.0.1:50135        ESTABLISHED     5072
  TCP    127.0.0.1:50135        127.0.0.1:50134        ESTABLISHED     5072
  TCP    127.0.0.1:54760        127.0.0.1:54762        ESTABLISHED     17412

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다