Earlier today I was asked for a ‘quick and easy’ PowerShell to grab a packet capture on a Windows box. I didn’t have anything on hand so I set off to the Google and returned with the necessary ingredients.
The star of the show is netsh trace, which is built into Windows. If we wanted to capture for 90 seconds, start the trace, wait 90 seconds, and stop it the syntax would be:
Note there are 3 lines (the first may wrap depending on windows size)
Like Wireshark, you need to specify what interface you want to capture traffic from. In the example above 192.168.1.167 is the active interface I want to capture. But what if I want to use this for automation and won’t know in advance what the active IP address will be?
We can grab the local IPv4 address and save it as a variable.
That’s it. We’re now able to collect a packet capture on Windows hosts without adding any additional tools. We can then take those collections and convert them with ease to everyone’s favorite packet analyzer.
I’ve combined everything above into QuickPcap.ps1 available on my GitHub site.
In this case the capture and conversion are running as one contiguous process, but it’s easy to imagine them as separate automation elements being handled through scripting by different processes. After all, we all build our Lego’s differently, don’t we?