Hello all, here is Daniel Mauser again and today I’m going to show you how you can leverage network capture traces using native PowerShell cmdlet. Before that we need to reference you, just as quick recap, to a great article from Hey Scripting Guy! where he shows how to get a network capture using PowerShell (Packet Sniffing with PowerShell: Getting Started). On this article he demonstrate using relevant Network Provides such as Microsoft-Windows-TCPIP but the end result capture it does not look like the same capture taken by netsh trace start capture=yes.
Is there any way to do it via PowerShell?
The short answer is yes. We developed a very basic script demonstrating how to do that. The trick part is to get the right ETW provider which is: Microsoft-Windows-NDIS-PacketCapture, more details to come.
We will go over a step-by-step demonstrating how to save a network capture in ETL file including a bonus of adding a time stamp and maximum size of 512 MB circular:
Define Timestamp variable
This is going to be to append to the output ETL capture file.
PS C:> $timestamp = Get-Date -f yyyy-MM-dd_HH-mm-ss
Note: PS commands listed below work with Windows 8.1 / Windows Server 2012 R2 and earlier Windows versions.
Create a new Session1
Now let’s define the new capture session adding computer name and timestamp to the ETL file being created
PS C:> New-NetEventSession -Name Session1 –LocalFilePath c:$env:computername-netcap-$timestamp.etl –MaxFileSize 512
Name : Session1
CaptureMode : SaveToFile
LocalFilePath : c:W10LAB-netcap-2017-04-26_19-45-17.etl
MaxFileSize : 512 MB
TraceBufferSize : 0 KB
MaxNumberOfBuffers : 0
SessionStatus : NotRunning
Adding provider
In this case is necessary add the associated GUID to this provider “Microsoft-Windows-NDIS-PacketCapture” which is {2ED6006E-4729-4609-B423-3EE7BCD678EF}.
PS C:> Add-NetEventProvider -Name “{2ED6006E-4729-4609-B423-3EE7BCD678EF}” –SessionName Session1
Name: Microsoft-Windows-NDIS-PacketCapture
SessionName: Session1
Level : 4
MatchAnyKeyword : 0xFFFFFFFFFFFFFFFF
MatchAllKeyword : 0x0
Note: the GUID was obtained by running this command in PS using command
PS C:> logman query providers | select-string ndis-packet
Microsoft-Windows-NDIS-PacketCapture{2ED6006E-4729-4609-B423-3EE7BCD678EF}
Starting a Network Capture Session
Now it is time to start the network capture by running:
PS C:> Start-NetEventSession -Name Session1
Check status of the capture
Ensure the capture is running the command below and check last output line named SessionStatus:
PS C:> Get-NetEventSession
Name : Session1
CaptureMode : SaveToFile
LocalFilePath : c:W10LAB-netcap-2017-04-26_19-45-17.etl
MaxFileSize : 512 MB
TraceBufferSize : 64 KB
MaxNumberOfBuffers : 30
SessionStatus : Running
Stopping the Capture
After sometime running your capture, you can stop the capture just run the following:
PS C:> Stop-NetEventSession -Name Session1
Remove the Session
Now you can start over the whole thing by removing the session and making other customizations or if you need to start a new file with a new timestamp.
PS C:> Remove-NetEventSession -Name session1
Note: Script has been posted in this GitHub Repository (Basic-Net-Capture.ps1) for your reference.
Final Considerations
We can re-use the same session by starting the capture again using Start-NetEventSession-Name Session1 but keep in mind we defined the timestamp of the output file on the New-NetEventSession. In order to create a new timestamp file, you need to remove Sesson1 and re-created it again. You can also figure out other ways to do that and feel free post in the comments below. I hope you learnt something new today.