I need to log a summary of all inbound TCP connections on a Windows 2008R2 server, but only including the Source IP, Source Port, Destination IP and Destination Port.
I do not want to log the payload and I do not want to include outbound connections or connections originating from the host itself.
I am simply trying to get a high level summary of all inbound connections over a period of a few days to be able to tell at a glance what is connecting to this server and from where.
It would be nice to see a summary with only one line for each unique connection (=SourceIP:Port -> DestIP:Port combination), but as long as the information can be logged/exported in CSV format, I an always do that in Excel.
The first tool I looked at was Wireshark, but I do not see how not to include the payload.
I looked at Process Monitor, but I do not see how to filter out outbound connections and the output does not fit my needs very well.
The closest fit I have found is TcpLogView (NirSoft), but it cannot filter out outbound connections or connections that are originating from the local server.
Is there a tool out there that can do what I am looking for?
Thanks.
Best Answer
In Wireshark (1.12.4 here): you can try on the menu Statistics and use the tools Conversations or Endpoints (whatever it fits your needs), once there you can choose to show connections statistics on all or displayed packets by MAC, IP, TCP, etc. To export to CSV, on each dialog you will see a Copy button. This will copy the statistics shown on the dialog to the clipboard in CSV format, now you just need to copy and paste to Notepad.