Is anyone aware of any integration with WireShark or does PowerShell have the ability to perform packet captures? I am ultimately looking to analyze the packets in WireShark, but can do the packet capture with anything. From my research, it appears there is a way to use netsh to create an ETL file and then potentially convert that to PCAP to analyze in WireShark, but that has limited information. Have also found a few cmdlets (Start-NetEventSession, etc) that I may be able to customize into a script (not supported on Windows 7). Unfortunately, I have not found much else. Thanks!
The is no PS native integration with any packet capture tool and am unaware of any plans to make it so.
However, you can create a simple packet capture using PS.
Examples are all over the web, a quick search will turn this up…
‘powershell packet capture’
https://devblogs.microsoft.com/scripting/packet-sniffing-with-powershell-getting-started
However, you can directly start and stop Wireshark using PS just as you could with any other process. I do this all the time.
Well, I also use for capture an analysis (it can read Winshark files as well)… I find it better when viewing captures most of the time. Well, I use them side by side to take advantage of better features for X or Y depending on what I am after.
Microsoft Message Analyzer https://www.microsoft.com/en-us/download/details.aspx?id=44226
Both WS and MMS have command line switches you can pass to start / stop and opening associated files for review.
Thanks - I have seen these articles. They all use ETL files and don’t have nearly as much information as Wireshark would. I found exactly what I was looking for using tshark.exe (part of Wireshark): PowerShell: Capture Network Traces – killyvehy . It didn’t work as-is (had to add a “-b” switch to the last tshark line and also specify which interface to use with an -i switch, but was able to add those. I then built a script to install Wireshark/WinPcap remotely, start a packet capture on command and stop the packet capture on command (all silently) and then have the pcapng files copied back to my system for analysis.
There was a presentation about PowerShell and WireShark a couple of years ago, you may want to have a look:
SharkFest’17 EUROPE Retrospective
The useful link is at the very bottom of the page:
“33: TShark Command Line using PowerShell by Graham Bloice”
Understood, and I had not seen this pointer you referenced.
Popping it into VSCode immediate reported syntax error the were easily enough addressed.