1

I need to log a summary of all inbound TCP connections on a Windows 2008R2 server, but only including the Source IP, Source Port, Destination IP and Destination Port.

I do not want to log the payload and I do not want to include outbound connections or connections originating from the host itself.

I am simply trying to get a high level summary of all inbound connections over a period of a few days to be able to tell at a glance what is connecting to this server and from where.

It would be nice to see a summary with only one line for each unique connection (=SourceIP:Port -> DestIP:Port combination), but as long as the information can be logged/exported in CSV format, I an always do that in Excel.

The first tool I looked at was Wireshark, but I do not see how not to include the payload.

I looked at Process Monitor, but I do not see how to filter out outbound connections and the output does not fit my needs very well.

The closest fit I have found is TcpLogView (NirSoft), but it cannot filter out outbound connections or connections that are originating from the local server.

Is there a tool out there that can do what I am looking for?

Thanks.

Zek
  • 568
  • 3
  • 10
  • 24

2 Answers2

2

In Wireshark (1.12.4 here): you can try on the menu Statistics and use the tools Conversations or Endpoints (whatever it fits your needs), once there you can choose to show connections statistics on all or displayed packets by MAC, IP, TCP, etc. To export to CSV, on each dialog you will see a Copy button. This will copy the statistics shown on the dialog to the clipboard in CSV format, now you just need to copy and paste to Notepad.

womble
  • 96,255
  • 29
  • 175
  • 230
Jesus Nacimiento Navarro
  • 51
  • 3
  • I am aware of that capability of Wireshark, but it requires a full packet capture first, which is what I do not want (note: it is about 1TB of data, which would be very cumbersome and slow to work with, and Wireshark probably could not summarize that volume anyhow). – Zek Aug 25 '15 at 16:19
1

I think you can do what you are asking by turning on logging in Windows Firewall: https://technet.microsoft.com/en-us/library/Cc947815%28v=WS.10%29.aspx#bkmk_ToenableWindowsFirewallandconfigurethedefaultbehavior

Mary
  • 565
  • 5
  • 10
  • Thanks, but I do not see how to exclude outbound traffic and traffic originating from the local host using this log (and the output is not very concise [nor very import-friendly for massage in Excel]). – Zek Aug 24 '15 at 02:48
  • If you open Excel first, then open the log file, then change the delimiter to "space" it comes into Excel fine. – Mary Aug 26 '15 at 15:36