![]() ![]() Putting it togetherĪll we need to do now is pipe tshark into our function. Some traffic such as ICMP won’t have port numbers, so we set those ports to $null. This is accomplished by the two long if/elseif/else lines. I wanted to combine these 4 properties into 2 protocol independent source and destination port properties. Tshark puts TCP and UDP port numbers in different fields prefixed by the protocol ( tcp_ and udp_). If this object is empty we know we’re not processing packet data and the function essentially ends there as the if statement that contains the rest of our logic evaluates the condition to false. ![]() We can see from the tshark json output this is where all relevant data is. ![]() We first convert the layers property to a PowerShell object. I won’t break down the function too much as it’s mostly self explanatory, but there are a few things worth noting. Write-Output $Packet | Select Protocol, SrcIP, SrcPort, DstIP, DstPort PS C:\> & 'C:\Program Files\Wireshark\tshark.exe' -n -l -T ek All formats are documented in the linked docs, but we’re going to be using ek which is for newline delimited JSON. The -T option needs to be followed by an output format. -T: Set the format of the output when viewing decoded packet data.-l: Flush the standard output after the information for each packet is printed.-n: Disable network object name resolution (such as hostname, TCP and UDP port names).The first few we’re going to be interested in are as follows The full list of options can be found here. Let’s have a look at some command line options. While we could probably write a parser for this in PowerShell, it’s not the best option. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |