Basic PS script to perform a Network Capture (packet sniffing)

  • Article

Hello all, here is Daniel Mauser again and today I'm going to show you how you can leverage network capture traces using native PowerShell cmdlet. Before that we need to reference you, just as quick recap, to a great article from Hey Scripting Guy! where he shows how to get a network capture using PowerShell (Packet Sniffing with PowerShell: Getting Started). On this article he demonstrate using relevant Network Provides such as Microsoft-Windows-TCPIP but the end result capture it does not look like the same capture taken by netsh trace start capture=yes.

Is there any way to do it via PowerShell?

The short answer is yes. We developed a very basic script demonstrating how to do that. The trick part is to get the right ETW provider which is: Microsoft-Windows-NDIS-PacketCapture,  more details to come.

We will go over a step-by-step demonstrating how to save a network capture in ETL file including a bonus of adding a time stamp and maximum size of 512 MB circular:

Define Timestamp variable This is going to be to append to the output ETL capture file.

PS C:\> $timestamp = Get-Date -f yyyy-MM-dd_HH-mm-ss

Note: PS commands listed below work with Windows 8.1 / Windows Server 2012 R2 and earlier Windows versions.

Create a new Session1
Now let's define the new capture session adding computer name and timestamp to the ETL file being created

PS C:\> New-NetEventSession -Name Session1 -LocalFilePath c:\$env:computername-netcap-$timestamp.etl -MaxFileSize 512

Name               : Session1
CaptureMode        : SaveToFile
LocalFilePath      : c:\W10LAB-netcap-2017-04-26_19-45-17.etl
MaxFileSize        : 512 MB
TraceBufferSize    : 0 KB
MaxNumberOfBuffers : 0
SessionStatus      : NotRunning

Adding provider In this case is necessary add the associated GUID to this provider "Microsoft-Windows-NDIS-PacketCapture" or use Add-NetEventpacketCaptureProvider:

PS C:\> Add-NetEventPacketCaptureProvider-SessionName Session1

Starting a Network Capture Session
Now it is time to start the network capture by running:

PS C:\> Start-NetEventSession -Name Session1

**Check status of the capture**Ensure the capture is running the command below and check last output line named SessionStatus:

PS C:\> Get-NetEventSession

Name              : Session1
CaptureMode       : SaveToFile
LocalFilePath     : c:\W10LAB-netcap-2017-04-26_19-45-17.etl
MaxFileSize       : 512 MB
TraceBufferSize    : 64 KB
MaxNumberOfBuffers : 30
SessionStatus      : Running

Stopping the Capture After sometime running your capture, you can stop the capture just run the following:
PS C:\> Stop-NetEventSession -Name Session1

Remove the Session
Now you can start over the whole thing by removing the session and making other customizations or if you need to start a new file with a new timestamp.PS C:\> Remove-NetEventSession -Name session1 

Note: Script has been posted in this GitHub Repository (Basic-Net-Capture.ps1) for your reference. Some updates will be incorporated based on feedback.

Final Considerations
We can re-use the same session by starting the capture again using Start-NetEventSession-Name Session1 but keep in mind we defined the timestamp of the output file on the New-NetEventSession. In order to create a new timestamp file, you need to remove Sesson1 and re-created it again. You can also figure out other ways to do that and feel free post in the comments below. I hope you learnt something new today.