PowerShell: Capture Network Traces

<#
.SYNOPSIS
Capture Traces with Wireshark in PowerShell

.DESCRIPTION

#############################################################
# #
# Capture network traces in PowerShell #
# Circular tracing #
# #
# #
# #
# (C)Citrix EMEA Escalation Team #
# #
# David Cristobal #
# #
#############################################################

Script to automate tracing with Wireshark using PowerShell, when GUI cannot be used

CaptureNetworkTraces.ps1 -FileName <[string]> -WiresharkPath <[string]> -NumberOfFiles <[string]> -FileSize <[string]> -TimeToStart <[string]> -RecheckTime <[string]> -CircularTraces

-FileName <File Name>
Name for the files, If null, will use the computer’s name and the date

-WiresharkPath <Wireshark installation path>
As this script relies in Wireshark binaries, the path is needed. If it’s installed in a different drive, you can specify it with this parameter

-NumberOfFiles <>
Number of files. If none given, will use 5

-FileSize
Size of every file in Kb. If none is given, will use 100Mb

-TimeToStart
Time to start tracing in format HHMM (like 2230 for 23:30 or 0845 for 8:45)

-RecheckTime
In case delayed start set, interval to check if the time has yet reached in seconds

-CircularTraces
Set traces as circular, ring buffer

.EXAMPLE
CaptureNetworkTraces.ps1 -FileName Trace001 -NumberOfFiles 4

Capture 4 files named Trace001.pcapng to Trace004.pcapng, 100Mb each (default value)

.EXAMPLE
CaptureNetworkTraces.ps1 -FileName Trace001 -FileSize 10000 -CircularTraces

Capture 5 files (default value) named named Trace001.pcapng to Trace005.pcapng, 10Mb each, in circualr tracing (until Ctrl+C is pressed)

.EXAMPLE
CaptureNetworkTraces.ps1 -NumberOfFiles 10 -FileSize 10000 -TimeToStart 2230 -RecheckTime 60

Capture 10 files 10Mb each with name ServerDate.pcapng (default), starting the trace at 22:30 and checking it every 60 seconds

#>

##Paramaters for the script
param
(
[Parameter(Mandatory=$false)][string]$FileName,
[Parameter(Mandatory=$false)][string]$WiresharkPath,
[Parameter(Mandatory=$false)][string]$NumberOfFiles,
[Parameter(Mandatory=$false)][string]$FileSize, ## In Kb
[Parameter(Mandatory=$false)][string]$TimeToStart, ## Format HHmm (Hours, minutes)
[Parameter(Mandatory=$false)][string]$RecheckTime, ## In seconds
[Parameter(Mandatory=$false)][switch]$CircularTraces ## Circular tracing
)

#region Variables
$Delay=$False
#endregion

#region Sanity checks

## Check if Filename is provided
if (!$FileName) ## If Filename is not provided, generate one withe date and time
{
$Filename=($env:computername)+”-“+(Get-Date -format yyyyMMdd-HHmmss)
}

$Filename=$Filename+”.pcapng” ## Add the Wireshark extension ot the file

## Check if Number of files is set
if (!$NumberOfFiles) ## If not set, 5 by default
{
$NumberOfFiles=”5″
}

## Check if Size of files is set
if (!$FileSize) ## If not set, 100Mb by default
{
$FileSize=”100000″
}

## Check if time to start is set is set
if (![string]::IsNullOrEmpty($TimeToStart))
{
if ((![string]::IsNullOrEmpty($TimeToStart)) -AND ($TimeToStart.Length -eq 4) -AND ($TimeToStart -match ‘[0-9]{4}’) -AND ([convert]::ToInt32($TimeToStart,10) -lt “2400”))
{
Write-host “Delayed start set for “$TimeToStart.Substring(0,2)”:”$TimeToStart.Substring(2,2)
$Delay=$true
Write-host “`n”

## Check if time to recheck delayed start is set
if ((![string]::IsNullOrEmpty($RecheckTime)) -AND ([Helpers]::IsNumeric($RecheckTime)))
{
Write-host “Timeout to recheck delayed start set to $RecheckTime seconds”
}
else
{
Write-host “Timeout to recheck delayed start not set”
Write-host “Default to 1 minute, 60 seconds”
$RecheckTime=60
}
}
else
{
Write-host “Incorrect time to start the trace” -foregroundcolor red
Write-host “Time needs to be set as HHmm (Hours,Minutes) and less that 2400”
Write-host “`n”
exit
}
}

## Check if Wireshark is installed
if (!$WiresharkPath) {$WiresharkPath = “C:\Program Files\Wireshark”}

if (Test-Path $WiresharkPath)
{
Write-Host “Wireshark found in the machine”
Write-host “`n”
}
else
{
Write-Host “Wireshark is not installed in the machine!!!” -foregroundcolor red -backgroundcolor yellow
Write-Host “If it’s not installed in the default path, use the -WiresharkPath parameter” -foregroundcolor red -backgroundcolor yellow
Write-Host “Stopping script” -foregroundcolor red -backgroundcolor yellow
Write-host “`n”
Write-host “Press Any Key To Exit….”
cmd /c pause | out-null
exit
}

# Verification and creation of the tshark Alias
if(Get-alias -name tshark*)
{
Write-Host “Tshark alias exists”
Write-host “`n”get-help
}
else
{
Write-Host “Tshark alias doesn’t exist. Creating it…”
new-alias tshark $WiresharkPath’\tshark.exe’
Write-host “Tshark alias created”
Write-host “`n”
}

# Verify if Wireshark path in the Path variable and adding it if needed
if($env:Path -like ‘*’+$WiresharkPath+’*’)
{
Write-Host “Wireshark path already in path variable”
Write-host “`n”
}
else
{
Write-Host “Wireshark path not found in Path variable. adding it…”
$env:Path += “;C:\Program Files\Wireshark\”
Write-Host “Wireshark path added”
Write-host “`n”
}

# Check if the trace is circular

if ($CircularTraces)
{
$CircularFlag = “-b”
}

#endregion

#region Wrap up parameters and show them on screen
Write-Host “Parameters for the trace” -foregroundcolor DarkRed
Write-Host “========================” -foregroundcolor DarkRed
Write-Host “Filename that will be used: ” -foregroundcolor green -nonewline
Write-Host $FileName -foregroundcolor gray
Write-Host “Number of files that will be kept: ” -foregroundcolor green -nonewline
Write-Host $NumberOfFiles -foregroundcolor gray
Write-Host “Size of every file: ” -foregroundcolor green -nonewline
Write-Host ($FileSize/1000)”Mb” -foregroundcolor gray
Write-Host “Path for Wireshark: ” -foregroundcolor green -nonewline
Write-Host $WiresharkPath -foregroundcolor gray
Write-host “`n”
Write-host “To stop the trace at any time, press Ctrl + C” -foregroundcolor red
Write-host “`n”
#endregion

#region Capture traces

## Check delayed start
while (($Delay -eq $True) -AND ((Get-Date -format HHmm) -ne $TimeToStart))
{
Write-Host “Time to start tracing not reached yet.”
Write-host “Actual time”(Get-Date -format HHmmss)
Write-Host “Expected time to start: “$TimeToStart
Start-Sleep -s $RecheckTime
}

## Start tshark with parameters
tshark.exe -w $FileName $CircularFlag filesize:$FileSize -b files:$NumberOfFiles

#endregion