Wednesday, April 1, 2009

Working with netmon caps in Powershell

An update to this post 8:32 PM 8/7/2009:

I have no path to loading nmcap files into powershell now that logparser does not work with Netmon 3.3 file format. I added my comment to this feature request:

https://connect.microsoft.com/feedback/ViewFeedback.aspx?FeedbackID=265564&SiteID=216

"The jump between 3.2 and 3.3 file formats/APIs broke logparser2.2 interface to netmon files which was extraordinarily useful since logparser would convert file formats, sql-lize queries, create charts and datagrids, etc. Examples are below. Granted this is probably a logparser (e.g. unsupported ware) defect, however...The real defect is here is that there is no path to convert Netmon 3.3 captures files to CSV.C:\Program Files (x86)\Log Parser 2.2>logparser -headers OFF -stats NO -i:NETMON -o:CSV "SELECT DateTime,SrcMAC,SrcPort,DstMAC,DstPort,WindowSize FROM32.cap"2009-01-13 11:37:53,00095B00F3DA,80,0013021A607B,2004,328902009-01-13 11:37:53,0013021A607B,2006,00095B00F3DA,80,163842009-01-13 11:37:54,00095B00F3DA,80,0013021A607B,2006,58402009-01-13 11:37:54,0013021A607B,2006,00095B00F3DA,80,175202009-01-13 11:37:54,0013021A607B,2006,00095B00F3DA,80,17520.....C:\Program Files (x86)\Log Parser 2.2>logparser -headers OFF -i:NETMON -o:CSV "SELECT DateTime,SrcMAC,SrcPort,DstMAC,DstPort,WindowSize FROM 33.cap"Statistics:-----------Elements processed: 0Elements output: 0Execution time: 0.01 seconds"

7:10 AM 4/2/2009: An update to this post


Once you have a capture in the form of an object, you can do interesting work with it in powershell:


$DstSrcPort_8NET = $capture where-object {($_.SrcIP -match "^8\." ) -or ($_.DstIP -match "^8\.")}
$DstSrcPort_8NET Sort DateTime -unique ft more
$DstSrcPort_8NET group-object DstPort Sort -descending Count
$DstSrcPort_8NET measure-object -average -minimum -maximum -property WindowSize
$a = $DstSrcPort_8NET Sort SrcIP -unique
$a %{[System.Net.DNS]::Resolve($_.SrcIP)}



In progress...concating collections of nmcap files and searching them for specific SrcIP and DstIp with Powershell and LogParser. This code is working now, but still "to be continued"...

function Search-IP($IP_String)
{ #start function
(ls -name *.cap)
foreach-object -begin {$file =[DateTime]::now.ToFileTime().ToString()} `
-process {
$filename = $_ ;
$temp = logparser -headers OFF -stats NO -i:NETMON -o:CSV "SELECT DateTime,SrcIP,SrcPort,DstIP,DstPort,WindowSize FROM $filename" ;
out-file -inputobject $temp -append -noclobber -filepath $file} `
-end {
$header = "DateTime","SrcIP","SrcPort","DstIP","DstPort","WindowSize" ;
$Global:capture = Import-csv $file -header $header ;
$Global:MatchIPObject = $capture where-object {$_ -match $IP_String} ;
$Global:MatchIPString = Select-String $IP_String $file -AllMatches}
} #end function

:$MatchIPObject[0..10] ft

DateTime SrcIP SrcPort DstIP DstPort WindowSize
-------- ----- ------- ----- ------- ----------
2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 16384
2007-07-16 13:59:52 66.133.124.56 443 68.26.116.175 1169 4140
2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 16560
2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 16560
2007-07-16 13:59:52 66.133.124.56 443 68.26.116.175 1169 4140
2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 15753
2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 15753
2007-07-16 13:59:52 68.26.116.175 1170 66.133.124.56 443 16384
2007-07-16 13:59:52 66.133.124.56 443 68.26.116.175 1169 4229
2007-07-16 13:59:52 66.133.124.56 443 68.26.116.175 1169 4229
2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 15753


:$MatchIPString[0..10]

128830930248593750:7:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,16384
128830930248593750:9:2007-07-16 13:59:52,66.133.124.56,443,68.26.116.175,1169,4140
128830930248593750:10:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,16560
128830930248593750:11:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,16560
128830930248593750:12:2007-07-16 13:59:52,66.133.124.56,443,68.26.116.175,1169,4140
128830930248593750:13:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,15753
128830930248593750:14:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,15753
128830930248593750:15:2007-07-16 13:59:52,68.26.116.175,1170,66.133.124.56,443,16384
128830930248593750:16:2007-07-16 13:59:52,66.133.124.56,443,68.26.116.175,1169,4229
128830930248593750:17:2007-07-16 13:59:52,66.133.124.56,443,68.26.116.175,1169,4229
128830930248593750:18:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,15753


:$MatchIPObject[0..10] gm


TypeName: System.Management.Automation.PSCustomObject

Name MemberType Definition
---- ---------- ----------
Equals Method System.Boolean Equals(Object obj)
GetHashCode Method System.Int32 GetHashCode()
GetType Method System.Type GetType()
ToString Method System.String ToString()
DateTime NoteProperty System.String DateTime=2007-07-16 13:59:52
DstIP NoteProperty System.String DstIP=66.133.124.56
DstPort NoteProperty System.String DstPort=443
SrcIP NoteProperty System.String SrcIP=68.26.116.175
SrcPort NoteProperty System.String SrcPort=1169
WindowSize NoteProperty System.String WindowSize=16384


:$MatchIPString[0..10] gm


TypeName: Microsoft.PowerShell.Commands.MatchInfo

Name MemberType Definition
---- ---------- ----------
Equals Method System.Boolean Equals(Object obj)
GetHashCode Method System.Int32 GetHashCode()
GetType Method System.Type GetType()
ToString Method System.String ToString(), System.String ToString(String directory)
Context Property Microsoft.PowerShell.Commands.MatchInfoContext Context {get;set;}
Filename Property System.String Filename {get;}
IgnoreCase Property System.Boolean IgnoreCase {get;set;}
Line Property System.String Line {get;set;}
LineNumber Property System.Int32 LineNumber {get;set;}
Matches Property System.Text.RegularExpressions.Match[] Matches {get;set;}
Path Property System.String Path {get;set;}
Pattern Property System.String Pattern {get;set;}

No comments: