This topic contains 2 replies, has 3 voices, and was last updated by
May 22, 2017 at 5:48 pm #71216ParticipantPoints: 0Rank: Member
the post use-powershell-to-parse-network-trace-logs/ and it the closed thing I can find to the problem I trying to solve.
Basically I'm trying to capture and parse a CDP packet in powershell.
When I do a straight read file in the RAW I see the data there, but it's a mess. I'm not sure any amount of regex magic would ever let me get results back 100% of the time.
When I look at the method in the article , I see the following
ProviderName: Microsoft-Windows-NDIS-PacketCapture TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/22/2017 1:21:27 PM 1016 Information Capture Rule: Id=InterfaceIndex Directive=EQU ValueLength=4 Value=0x03000000 5/22/2017 1:21:27 PM 1016 Information Capture Rule: Id=Any MAC Address Directive=EQU ValueLength=6 Value=0x01000CCCCCCC 5/22/2017 1:21:27 PM 1016 Information Capture Rule: Id=Packet Truncate Bytes Directive=EQU ValueLength=4 Value=0x000... 5/22/2017 1:21:27 PM 1011 Information Capture Rules Count=3 5/22/2017 1:21:58 PM 1001 Information Packet Fragment (474 bytes)
That packet fragment is the CDP pack I need to get my hand on, but I cannot for the life of me figure out how to get to the payload. Do you have any ideas? Of a good method
Test code below:
$Session = New-NetEventSession -Name “Session1a” -LocalFilePath C:\temp\johnwork.etl -CaptureMode SaveToFile Add-NetEventPacketCaptureProvider -SessionName "session1a" -LinkLayerAddress "01-00-0c-cc-cc-cc" -TruncationLength 1024 -CaptureType BothPhysicalAndSwitch Add-NetEventNetworkAdapter -Name "Ethernet" -PromiscuousMode $true Start-NetEventSession -Name "Session1a" Sleep -Seconds 62 Stop-NetEventSession -Name "session1a" $log = Get-WinEvent -Path $session.LocalFilePath –Oldest Remove-NetEventSession -Name "Session1a"
May 24, 2017 at 9:04 pm #71461ParticipantPoints: 25Rank: Member
I have been playing around with traces as well and I am also stumped. Judging from my tests with Get-WinEvent, there is no way to access it in PS. Have you tried opening the trace file with Microsoft Message Analyzer? There does not seem to be much documentation anywhere.
May 27, 2017 at 10:23 pm #71596ParticipantPoints: 0Rank: Member
John, can you provide a file with a few sample records?
The topic ‘powershell to parse a ETL file payload’ is closed to new replies.