hello everyone,
the post use-powershell-to-parse-network-trace-logs/ and it the closed thing I can find to the problem I trying to solve.
Basically I’m trying to capture and parse a CDP packet in powershell.
When I do a straight read file in the RAW I see the data there, but it’s a mess. I’m not sure any amount of regex magic would ever let me get results back 100% of the time.
When I look at the method in the article , I see the following
ProviderName: Microsoft-Windows-NDIS-PacketCapture TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/22/2017 1:21:27 PM 1016 Information Capture Rule: Id=InterfaceIndex Directive=EQU ValueLength=4 Value=0x03000000 5/22/2017 1:21:27 PM 1016 Information Capture Rule: Id=Any MAC Address Directive=EQU ValueLength=6 Value=0x01000CCCCCCC 5/22/2017 1:21:27 PM 1016 Information Capture Rule: Id=Packet Truncate Bytes Directive=EQU ValueLength=4 Value=0x000... 5/22/2017 1:21:27 PM 1011 Information Capture Rules Count=3 5/22/2017 1:21:58 PM 1001 Information Packet Fragment (474 bytes)
That packet fragment is the CDP pack I need to get my hand on, but I cannot for the life of me figure out how to get to the payload. Do you have any ideas? Of a good method
Test code below:
$Session = New-NetEventSession -Name “Session1a” -LocalFilePath C:\temp\johnwork.etl -CaptureMode SaveToFile Add-NetEventPacketCaptureProvider -SessionName "session1a" -LinkLayerAddress "01-00-0c-cc-cc-cc" -TruncationLength 1024 -CaptureType BothPhysicalAndSwitch Add-NetEventNetworkAdapter -Name "Ethernet" -PromiscuousMode $true Start-NetEventSession -Name "Session1a" Sleep -Seconds 62 Stop-NetEventSession -Name "session1a" $log = Get-WinEvent -Path $session.LocalFilePath –Oldest Remove-NetEventSession -Name "Session1a"