How to Parse Netstat Command in Order to Get Process Name and Pid from It

How to parse netstat command in order to get process name and PID from it?

Try

ps -p $(lsof -ti tcp:80) o comm=,pid=

or

netstat -tlnp | awk '/:80 */ {split($NF,a,"/"); print a[2],a[1]}'

Capturing just the `PID` field from `netstat`

Assuming that you'll only get the one result (which seems likely), you can use a simple regex to capture the last group of digits from the line.

$netstat = "TCP    127.0.0.1:51135        r151:51135             ESTABLISHED     7968";
$PortNumRegex = [regex]"(\d+)$";
$portnum = $PortNumRegex.Match($netstat);
$portnum.captures[0].Value;

In your case, replace the $netstat line with netstat -ao | findstr 51135; you could also eliminate findstr 51135 by running the output of netstat -ao through select-string or other regex matches, but for a simple case like this, the above should work just fine.

How to parse netstat command to get the send-q number from the line

Something like

$ netstat -naputeo 2>/dev/null | awk -v OFS=';' '$1 ~ /^tcp/ && $3 > 4000 { sub(/^.+:/, "", $4); print $3, $4, $9 }'

?

That would output the 3rd column (Send-Q), the port part of the 4th column (Local Address) and the 9th column (PID/Program name) if Send-Q > 4000, separated by semicolons so you can pipe it into your CSV.

E.g. (for Send-Q > 0 on my box)

$ netstat -naputeo 2>/dev/null | awk -v OFS=';' '$1 ~ /^tcp/ && $3 > 0 { sub(/^.+:/, "", $4); print $3, $4, $9 }'
52;22;4363/sshd:

EDIT:

If you really need to further process the values in bash, then you can just print the respective columns via awk and iterate over the lines like this:

#!/bin/bash

while read recv send address pid_program; do
        ip=${address%%:*}
        port=${address##*:}
        pid=${pid_program%%/*}
        program=${pid_program#*/}
        echo "recv=${recv} send=${send} ip=${ip} port=${port} pid=${pid} program=${program}"
        # do stuff here
done < <(netstat -naputeo 2>/dev/null | awk '$1 ~ /^(tcp|udp)/ && ($2 > 4000 || $3 > 4000) { print $2, $3, $4, $9 }')

E.g.:

$ ./t.sh
recv=0 send=52 ip=x.x.x.x port=22 pid=12345 program=sshd:

Note: I don't understand why you need the -o switch to netstat since you don't seem to be interested in the timers output, so you could probably drop that.

Flatten netstat command output in powershell

I would probably do something like this:

1. mangle the output into a single string:

   netstat -bano | Out-String
   

2. remove indention of the lines beginning with UDP or TCP to make them distinguishable from the other lines:

   -replace '(?m)^  (TCP|UDP)', '$1'
   

3. join all indented lines that don't begin with a square bracket to the line preceding them:

   -replace '\r?\n\s+([^\[])', "`t`$1"
   

4. join all indented lines that do begin with a square bracket to the line preceding them:

   -replace '\r?\n\s+\[', "`t["
   

Complete statement:

(netstat -bano | Out-String) -replace '(?m)^  (TCP|UDP)', '$1' -replace '\r?\n\s+([^\[])', "`t`$1" -replace '\r?\n\s+\[', "`t["

How to parse and access columns based on headers in file? - Python

Answer updated to handle missing State value

Skip the first row, indicate that there is no header, assign header names and then split on one or more spaces.

df = pd.read_csv(sim_txt, skiprows=1, header=None, sep='\s+', 
                 names=['Proto','cv-Q','Send-Q','Local Address','Foreign Address','State','PID/Program name']
                ).apply(row_fixer, axis=1) 
print(df)

  Proto  cv-Q  Send-Q     Local Address Foreign Address   State  PID/Program name
0   tcp     0       0  123.345.789:1234       0.0.0.0:*  LISTEN        23044/test
1   tcp     0       0      0.0.0.0:5915       0.0.0.0:*  LISTEN      99800/./serv
2   tcp     0       0      0.0.0.0:5916       0.0.0.0:*     NaN      99801/./serv
3   tcp     0       0      0.0.0.0:1501       0.0.0.0:*  LISTEN                 -

df.to_csv('output.csv', index=None)

The above depends on the following function. It looks for a NaN the last column in the row which would indicate that the State value is missing. When that situation is found the last two values are swapped. (Note: this function detects NaNs by leveraging the fact that NaN != NaN):

def row_fixer(x):
    if x.iat[-1] != x.iat[-1]:
        xc = x.copy()
        xc.iat[-1] = xc.iat[-2]
        xc.iat[-2] = np.NaN
        return xc    
    return x

The example above is based on the following example data:

Proto  cv-Q  Send-Q     Local Address Foreign Address   State  PID/Program name
  tcp     0       0  123.345.789:1234       0.0.0.0:*  LISTEN        23044/test
  tcp     0       0      0.0.0.0:5915       0.0.0.0:*  LISTEN      99800/./serv
  tcp     0       0      0.0.0.0:5916       0.0.0.0:*              99801/./serv
  tcp     0       0      0.0.0.0:1501       0.0.0.0:*  LISTEN                 -

capturing network packet and group them according to their process (program) name

To do that, you should retrieve the tcp or udp header from the ip packet, read the port from it, then try to execute netstat command using Runtime class,
parse the result, you will find the pid of the process in the last column of the result, you will also find the port, netstat will list the running process, their state and the ports their are listening on.

---

Related Topics