Perform a packet capture with PowerShell

Overview


I think that Wireshark is often used for a packet capture on Windows.However, I think that installation may be restricted depending on company policies or operating environments.
Powershell has a cmdlet called NetEventPacketCapture, which can be used to capture packets.
This article introduces a packet capture method using cmdlets natively provided in Powershell.




Creates a network event session

First, create a network event session with New-NetEventSession cmdlet.
The main options are the following.

Option Description
Name Specify a name of the session.
LocalFilePath Specify file name to save packet capture.
MaxFileSize Specify file size to save packet capture.(Unit:MB)
1PS C:\> New-NetEventSession -Name "Session01" -LocalFilePath D:\Capture\Session01.etl
2
3Name               : Session01
4CaptureMode        : SaveToFile
5LocalFilePath      : D:\Capture\Session01.etl
6MaxFileSize        : 250 MB
7TraceBufferSize    : 0 KB
8MaxNumberOfBuffers : 0
9SessionStatus      : NotRunning

Adds an provider to a session

Second, add the network event provider to the session with Add-NetEventPacketCaptureProvider cmdlet. A network event provider logs events and network traffic as Event Tracing for Windows (ETW) events.
The main options are the following.

Option Description
SessionName Specify a name of the session.
IpAddresses Specify an array of IP addresses.
IpProtocols Specify an array of one or more IP protocols.6 means TCP.17 means UDP.
 1PS C:\> Add-NetEventPacketCaptureProvider -SessionName "Session01"
 2
 3Name               : Microsoft-Windows-NDIS-PacketCapture
 4SessionName        : Session01
 5Level              : 4
 6MatchAnyKeyword    : 0xFFFFFFFFFFFFFFFF
 7MatchAllKeyword    : 0x0
 8CaptureType        : BothPhysicalAndSwitch
 9VmCaptureDirection : IngressAndEgress
10MultiLayer         : False
11LinkLayerAddress   : {}
12EtherType          : {}
13IpAddresses        : {}
14IpProtocols        : {}
15TruncationLength   : 128

Adds a network adapter as a filter on a provider (Optional)

If you want to identify a network interface for a packet capture, perform Add-NetEventPacketCaptureProvider cmdlet.
The main options are the following.

Option Description
Name Specify the name of a network adapter to add.It can be checked with Get-NetAdapter cmdlet.
1PS C:\> Add-NetEventNetworkAdapter -Name "Ethernet"
2
3Name                 : Ethernet
4InterfaceDescription : Intel(R) Ethernet Connection (2) I219-V
5ProviderName         : Microsoft-Windows-NDIS-PacketCapture
6CaptureStatus        :

Starts a packet capture

Now that everything is ready, start a packet capture with Start-NetEventSession cmdlet.
The main options are the following.

Option Description
Name Specify a name of the session.
1PS C:\> Start-NetEventSession -Name "Session01"

Stops a packet capture

To stop a packet capture, perform Stop-NetEventSession cmdlet.
Logs are saved to the file specified in New-NetEventSession cmdlet. The main options are the following.

Option Description
Name Specify a name of the session.
1PS C:\> Stop-NetEventSession -Name "Session01"

Removes a network event session

After performing a packet capture, remove the network event session with Remove-NetEventSession cmdlet. If you don't delete it with the cmdlet, the session will remain (even after restarting the terminal). Also, multiple sessions cannot be created.

1PS C:\> Remove-NetEventSession

Convert etl to pcapng

The etl file, which is the packet capture log, can be viewed with Network Monitor, etc. If you want to refer to it with Wireshark, you can save it in pcap format with Network Monitor, or convert it to pcapng with the command published on github.

1PS C:\> D:\Capture\etl2pcapng.exe D:\Capture\Session01.etl D:\Capture\Session01.pcapng
2IF: medium=eth                  ID=0    IfIndex=13      VlanID=0
3Converted 8875 frames

Reference


Translations: