{"id":72801,"date":"2015-10-12T00:01:00","date_gmt":"2015-10-12T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/10\/12\/packet-sniffing-with-powershell-getting-started\/"},"modified":"2019-02-18T09:34:56","modified_gmt":"2019-02-18T16:34:56","slug":"packet-sniffing-with-powershell-getting-started","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/packet-sniffing-with-powershell-getting-started\/","title":{"rendered":"Packet Sniffing with PowerShell: Getting Started"},"content":{"rendered":"

Summary<\/b>: Ed Wilson, Microsoft Scripting Guy, talks about getting started with packet sniffing in Windows PowerShell.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. One of the way cool things that happened with Windows 8.1 and Windows Server 2012 R2 was the ability to do network traces with Windows PowerShell. I have found network tracing extremely useful and helpful in troubleshooting and diagnostics ever since I wrote my book, Network Monitoring and Analysis: A Protocol Approach to Troubleshooting<\/a>.<\/p>\n

In the past, I have used batch files, automated the NetMon API, and done all kinds of crazy things to try to automate capturing network traces and analyzing the data. Although the Network Event Packet Capture cmdlets<\/a> have been around for at least a year, I have not written very much about them. The thing is that even though it is basic Windows PowerShell, it still takes a bit of time to figure out how to get started. This is because there are 27 cmdlets in the NetEventPacketCapture module:<\/p>\n

PS C:\\> (gcm -Module NetEventPacketCapture | measure).count<\/p>\n

27<\/p>\n

Here are the 27 cmdlets (functions):<\/p>\n

PS C:\\> gcm -Module NetEventPacketCapture | select name<\/p>\n

Name<\/p>\n

—-<\/p>\n

Add-NetEventNetworkAdapter<\/p>\n

Add-NetEventPacketCaptureProvider<\/p>\n

Add-NetEventProvider<\/p>\n

Add-NetEventVmNetworkAdapter<\/p>\n

Add-NetEventVmSwitch<\/p>\n

Add-NetEventWFPCaptureProvider<\/p>\n

Get-NetEventNetworkAdapter<\/p>\n

Get-NetEventPacketCaptureProvider<\/p>\n

Get-NetEventProvider<\/p>\n

Get-NetEventSession<\/p>\n

Get-NetEventVmNetworkAdapter<\/p>\n

Get-NetEventVmSwitch<\/p>\n

Get-NetEventWFPCaptureProvider<\/p>\n

New-NetEventSession<\/p>\n

Remove-NetEventNetworkAdapter<\/p>\n

Remove-NetEventPacketCaptureProvider<\/p>\n

Remove-NetEventProvider<\/p>\n

Remove-NetEventSession<\/p>\n

Remove-NetEventVmNetworkAdapter<\/p>\n

Remove-NetEventVmSwitch<\/p>\n

Remove-NetEventWFPCaptureProvider<\/p>\n

Set-NetEventPacketCaptureProvider<\/p>\n

Set-NetEventProvider<\/p>\n

Set-NetEventSession<\/p>\n

Set-NetEventWFPCaptureProvider<\/p>\n

Start-NetEventSession<\/p>\n

Stop-NetEventSession<\/p>\n

TechNet does a good job at describing the cmdlets, but there is also a pretty good chance that it will be rather cumbersome to figure out how to get started. I mean, how do I do a basic network trace? How is that trace viewed? How do I filter that trace to find useful information? These are the sorts of things that I would need if I were going to do a network trace using Windows PowerShell. So, let’s get started.<\/p>\n

Using an ETL log<\/h2>\n

This makes sense. With a gigabyte Ethernet (or greater), there are lots of packets flying by on the wire. Many of them are encrypted, and I can learn nearly nothing by watching network packets fly past. Well, nearly nothing. I can, of course, tell if my laptop is seeing anything on the wire—but that is basically the same as looking to see if the light blinks on my network card.<\/p>\n

As I have mentioned before, ETL logging is an extremely high performance logging interface that is capable of writing hundreds of events a second— just the thing if I want to do a network trace. And guess what? Windows PowerShell already has a cmdlet that will read ETL logs—the Get-WinEvent<\/b> cmdlet. So I don’t need anything else to be able to read my traces.<\/p>\n

Six basic steps to perform a network trace<\/h2>\n

There are six basic steps required to perform a network trace:<\/p>\n

    \n
  1. Add a new network event session with New-NetEventSession<\/b>.<\/li>\n
  2. Add a network event provider to the session with New-NetEventProvider<\/b>.<\/li>\n
  3. Start the session with Start-NetEventSession<\/b>.<\/li>\n
  4. Get information about the session with Get-NetEventSession<\/b>.<\/li>\n
  5. Stop the network event session with Stop-NetEventSession<\/b>.<\/li>\n
  6. Remove the network event session with Remove-NetEventSession<\/b>.<\/li>\n<\/ol>\n

    Step-by-step walkthrough<\/h2>\n

    Now I will go through the six steps that are used to create a new network event tracing session.<\/p>\n

    Create a new session<\/h3>\n

    The first thing I need to do is to create a new network event session. To do this, I use the New-NetEventSession<\/b> cmdlet and specify a name for the session. Here is an example of this command:<\/p>\n

    New-NetEventSession -Name “Session1”<\/p>\n

    When I run this command, I receive information such as where the log file will be and the size of file:<\/p>\n

    PS C:\\> New-NetEventSession -Name “Session1”<\/p>\n

    Name               : Session1<\/p>\n

    CaptureMode        : SaveToFile<\/p>\n

    LocalFilePath      : C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\NetEvent<\/p>\n

                         Trace.etl<\/p>\n

    MaxFileSize        : 250 MB<\/p>\n

    TraceBufferSize    : 0 KB<\/p>\n

    MaxNumberOfBuffers : 0<\/p>\n

    SessionStatus      : NotRunning<\/p>\n

    Add a provider<\/h3>\n

    The second thing I need to do is to add a provider to the network event session. To do this, I need to know two things:<\/p>\n