When I do a straight read file in the RAW I see the data there, but it's a mess. I'm not sure any amount of regex magic would ever let me get results back 100% of the time.
When I look at the method in the article , I see the following
ProviderName: Microsoft-Windows-NDIS-PacketCapture TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/22/2017 1:21:27 PM 1016 Information Capture Rule: Id=InterfaceIndex Directive=EQU ValueLength=4 Value=0x03000000 5/22/2017 1:21:27 PM 1016 Information Capture Rule: Id=Any MAC Address Directive=EQU ValueLength=6 Value=0x01000CCCCCCC 5/22/2017 1:21:27 PM 1016 Information Capture Rule: Id=Packet Truncate Bytes Directive=EQU ValueLength=4 Value=0x000... 5/22/2017 1:21:27 PM 1011 Information Capture Rules Count=3 5/22/2017 1:21:58 PM 1001 Information Packet Fragment (474 bytes)
That packet fragment is the CDP pack I need to get my hand on, but I cannot for the life of me figure out how to get to the payload. Do you have any ideas? Of a good method
Test code below:
$Session = New-NetEventSession -Name “Session1a” -LocalFilePath C:\temp\johnwork.etl -CaptureMode SaveToFile Add-NetEventPacketCaptureProvider -SessionName "session1a" -LinkLayerAddress "01-00-0c-cc-cc-cc" -TruncationLength 1024 -CaptureType BothPhysicalAndSwitch Add-NetEventNetworkAdapter -Name "Ethernet" -PromiscuousMode $true Start-NetEventSession -Name "Session1a" Sleep -Seconds 62 Stop-NetEventSession -Name "session1a" $log = Get-WinEvent -Path $session.LocalFilePath –Oldest Remove-NetEventSession -Name "Session1a"
I have been playing around with traces as well and I am also stumped. Judging from my tests with Get-WinEvent, there is no way to access it in PS. Have you tried opening the trace file with Microsoft Message Analyzer? There does not seem to be much documentation anywhere.
John, can you provide a file with a few sample records?
You must be logged in to reply to this topic.