Perform a packet capture with PowerShell
Overview
I think that Wireshark is often used for a packet capture on Windows.However, I think that installation may be restricted depending on company policies or operating environments.
Powershell has a cmdlet called NetEventPacketCapture, which can be used to capture packets.
This article introduces a packet capture method using cmdlets natively provided in Powershell.
Creates a network event session
First, create a network event session with New-NetEventSession cmdlet.
The main options are the following.
| Option | Description |
|---|---|
| Name | Specify a name of the session. |
| LocalFilePath | Specify file name to save packet capture. |
| MaxFileSize | Specify file size to save packet capture.(Unit:MB) |
1PS C:\> New-NetEventSession -Name "Session01" -LocalFilePath D:\Capture\Session01.etl
2
3Name : Session01
4CaptureMode : SaveToFile
5LocalFilePath : D:\Capture\Session01.etl
6MaxFileSize : 250 MB
7TraceBufferSize : 0 KB
8MaxNumberOfBuffers : 0
9SessionStatus : NotRunning
Adds an provider to a session
Second, add the network event provider to the session with Add-NetEventPacketCaptureProvider cmdlet.
A network event provider logs events and network traffic as Event Tracing for Windows (ETW) events.
The main options are the following.
| Option | Description |
|---|---|
| SessionName | Specify a name of the session. |
| IpAddresses | Specify an array of IP addresses. |
| IpProtocols | Specify an array of one or more IP protocols.6 means TCP.17 means UDP. |
1PS C:\> Add-NetEventPacketCaptureProvider -SessionName "Session01"
2
3Name : Microsoft-Windows-NDIS-PacketCapture
4SessionName : Session01
5Level : 4
6MatchAnyKeyword : 0xFFFFFFFFFFFFFFFF
7MatchAllKeyword : 0x0
8CaptureType : BothPhysicalAndSwitch
9VmCaptureDirection : IngressAndEgress
10MultiLayer : False
11LinkLayerAddress : {}
12EtherType : {}
13IpAddresses : {}
14IpProtocols : {}
15TruncationLength : 128
Adds a network adapter as a filter on a provider (Optional)
If you want to identify a network interface for a packet capture, perform Add-NetEventPacketCaptureProvider cmdlet.
The main options are the following.
| Option | Description |
|---|---|
| Name | Specify the name of a network adapter to add.It can be checked with Get-NetAdapter cmdlet. |
1PS C:\> Add-NetEventNetworkAdapter -Name "Ethernet"
2
3Name : Ethernet
4InterfaceDescription : Intel(R) Ethernet Connection (2) I219-V
5ProviderName : Microsoft-Windows-NDIS-PacketCapture
6CaptureStatus :
Starts a packet capture
Now that everything is ready, start a packet capture with Start-NetEventSession cmdlet.
The main options are the following.
| Option | Description |
|---|---|
| Name | Specify a name of the session. |
1PS C:\> Start-NetEventSession -Name "Session01"
Stops a packet capture
To stop a packet capture, perform Stop-NetEventSession cmdlet.
Logs are saved to the file specified in New-NetEventSession cmdlet.
The main options are the following.
| Option | Description |
|---|---|
| Name | Specify a name of the session. |
1PS C:\> Stop-NetEventSession -Name "Session01"
Removes a network event session
After performing a packet capture, remove the network event session with Remove-NetEventSession cmdlet. If you don't delete it with the cmdlet, the session will remain (even after restarting the terminal). Also, multiple sessions cannot be created.
1PS C:\> Remove-NetEventSession
Convert etl to pcapng
The etl file, which is the packet capture log, can be viewed with Network Monitor, etc. If you want to refer to it with Wireshark, you can save it in pcap format with Network Monitor, or convert it to pcapng with the command published on github.
1PS C:\> D:\Capture\etl2pcapng.exe D:\Capture\Session01.etl D:\Capture\Session01.pcapng
2IF: medium=eth ID=0 IfIndex=13 VlanID=0
3Converted 8875 frames