Author Posts

May 22, 2017 at 5:48 pm

hello everyone,
the post use-powershell-to-parse-network-trace-logs/ and it the closed thing I can find to the problem I trying to solve.
Basically I'm trying to capture and parse a CDP packet in powershell.

When I do a straight read file in the RAW I see the data there, but it's a mess. I'm not sure any amount of regex magic would ever let me get results back 100% of the time.

When I look at the method in the article , I see the following

   ProviderName: Microsoft-Windows-NDIS-PacketCapture

TimeCreated                     Id LevelDisplayName Message                                                                          
-----------                     -- ---------------- -------                                                                          
5/22/2017 1:21:27 PM          1016 Information      Capture Rule: Id=InterfaceIndex Directive=EQU ValueLength=4 Value=0x03000000     
5/22/2017 1:21:27 PM          1016 Information      Capture Rule: Id=Any MAC Address Directive=EQU ValueLength=6 Value=0x01000CCCCCCC
5/22/2017 1:21:27 PM          1016 Information      Capture Rule: Id=Packet Truncate Bytes Directive=EQU ValueLength=4 Value=0x000...
5/22/2017 1:21:27 PM          1011 Information      Capture Rules Count=3                                                            
5/22/2017 1:21:58 PM          1001 Information      Packet Fragment (474 bytes) 

That packet fragment is the CDP pack I need to get my hand on, but I cannot for the life of me figure out how to get to the payload. Do you have any ideas? Of a good method

Test code below:

$Session = New-NetEventSession -Name “Session1a” -LocalFilePath C:\temp\johnwork.etl  -CaptureMode SaveToFile 
Add-NetEventPacketCaptureProvider -SessionName "session1a" -LinkLayerAddress "01-00-0c-cc-cc-cc" -TruncationLength 1024 -CaptureType BothPhysicalAndSwitch 
Add-NetEventNetworkAdapter -Name "Ethernet" -PromiscuousMode $true 
Start-NetEventSession -Name "Session1a" 
Sleep -Seconds 62
Stop-NetEventSession -Name "session1a" 
$log = Get-WinEvent -Path $session.LocalFilePath –Oldest

Remove-NetEventSession -Name "Session1a"

May 24, 2017 at 9:04 pm

I have been playing around with traces as well and I am also stumped. Judging from my tests with Get-WinEvent, there is no way to access it in PS. Have you tried opening the trace file with Microsoft Message Analyzer? There does not seem to be much documentation anywhere.

May 27, 2017 at 10:23 pm

John, can you provide a file with a few sample records?