powershell to parse a ETL file payload

This topic contains 2 replies, has 3 voices, and was last updated by  Paul 2 months, 3 weeks ago.

  • Author
    Posts
  • #71216

    John Dansak
    Participant

    hello everyone,
    the post use-powershell-to-parse-network-trace-logs/ and it the closed thing I can find to the problem I trying to solve.
    Basically I'm trying to capture and parse a CDP packet in powershell.

    When I do a straight read file in the RAW I see the data there, but it's a mess. I'm not sure any amount of regex magic would ever let me get results back 100% of the time.

    When I look at the method in the article , I see the following

       ProviderName: Microsoft-Windows-NDIS-PacketCapture
    
    TimeCreated                     Id LevelDisplayName Message                                                                          
    -----------                     -- ---------------- -------                                                                          
    5/22/2017 1:21:27 PM          1016 Information      Capture Rule: Id=InterfaceIndex Directive=EQU ValueLength=4 Value=0x03000000     
    5/22/2017 1:21:27 PM          1016 Information      Capture Rule: Id=Any MAC Address Directive=EQU ValueLength=6 Value=0x01000CCCCCCC
    5/22/2017 1:21:27 PM          1016 Information      Capture Rule: Id=Packet Truncate Bytes Directive=EQU ValueLength=4 Value=0x000...
    5/22/2017 1:21:27 PM          1011 Information      Capture Rules Count=3                                                            
    5/22/2017 1:21:58 PM          1001 Information      Packet Fragment (474 bytes) 

    That packet fragment is the CDP pack I need to get my hand on, but I cannot for the life of me figure out how to get to the payload. Do you have any ideas? Of a good method

    Test code below:

    $Session = New-NetEventSession -Name “Session1a” -LocalFilePath C:\temp\johnwork.etl  -CaptureMode SaveToFile 
    Add-NetEventPacketCaptureProvider -SessionName "session1a" -LinkLayerAddress "01-00-0c-cc-cc-cc" -TruncationLength 1024 -CaptureType BothPhysicalAndSwitch 
    Add-NetEventNetworkAdapter -Name "Ethernet" -PromiscuousMode $true 
    Start-NetEventSession -Name "Session1a" 
    Sleep -Seconds 62
    Stop-NetEventSession -Name "session1a" 
    $log = Get-WinEvent -Path $session.LocalFilePath –Oldest
    
    Remove-NetEventSession -Name "Session1a"
  • #71461

    Dan Franciscus
    Participant

    I have been playing around with traces as well and I am also stumped. Judging from my tests with Get-WinEvent, there is no way to access it in PS. Have you tried opening the trace file with Microsoft Message Analyzer? There does not seem to be much documentation anywhere.

  • #71596

    Paul
    Participant

    John, can you provide a file with a few sample records?

You must be logged in to reply to this topic.