I'm traing to start 2 remote packet captures at same time on a winServer2016 with two nics, with tshark 3.4.5 and powershell 7.2.1.
The problem is that I can't found the correct sintax to pass variables to tshark...
$ScriptPath = "E:\CC12\Scripts\TShark"
$dateForDirLogs = (Get-Date).ToString('yyyy-MM-dd-HH')
$dateForLogs = (Get-Date).ToString('yyyy-MM-dd-HH.mm')
$logDir = "$ScriptPath\Logs"
$MyServer = "SRV1"
$LogFile = "$logDir\$($MyServer)_$($dateForLogs).txt"
$MySession = New-PSSession $MyServer -ConfigurationName PowerShell.7.2.1
Invoke-Command -Session $MySession -ScriptBlock {
$CptPathName = "E:\Captures\$using:dateForDirLogs"
$JobLogFile = "$CptPathName\RmJobsLog.txt"
$HName = $using:MyServer
$CptFilePub = "$CptPathName\$($HName)_PUB_$using:dateForLogs.pcapng"
$CptFilePri = "$CptPathName\$($HName)_PRI_$using:dateForLogs.pcapng"
$TsharkBin = "C:\Program Files\Wireshark\tshark.exe"
[string]$NicPub = & $TsharkBin -D | Select-String "Public"
$ifNumPub = $NicPub.Split("\")[0]
$NicPub = $NicPub.Replace($ifNumPub,'')
$NicPub = $NicPub.Replace(' (Public)','')
[string]$NicPri = & $TsharkBin -D | Select-String "Private"
$ifNumPri = $NicPri.Split("\")[0]
$NicPri = $NicPri.Replace($ifNumPri,'')
$NicPri = $NicPri.Replace(' (Private)','')
$FilterPub = "dst net 10.49.94.0/24"
$FilterTimePub = 300
$FilterSizePub = 307200
$FilterPri = "dst net 10.56.128.0/25"
$FilterTimePri = 300
$FilterSizePri = 307200
# echo variables
$CptPathName
$JobLogFile
$HName
$CptFilePub
$CptFilePri
$NicPub
$NicPri
$FilterPub
$FilterPri
$CptCMDs = @(
"-i $NicPub -f $FilterPub -a duration:$FilterTimePub -w $CptFilePub"
"-i $NicPri -f $FilterPri -a duration:$FilterTimePri -w $CptFilePri"
)
$CptCMDs | ForEach-Object -Parallel {
$TsharkBin = "C:\Program Files\Wireshark\tshark.exe"
& $TsharkBin $_
} -ThrottleLimit 2
}
I've tried to quoting the "qoutes" like that, but doesn't works:
$NicPub = "`"$NicPub`""
Seems that tshark reads the $CptCMDs
as a single parameter the interface name! Seems skips its commands switch...
This is the output, if I ran the script interactively:
E:\Captures\2022-09-16-15
E:\Captures\2022-09-16-15\RmJobsLog.txt
SRV1
E:\Captures\2022-09-16-15\SRV1_PUB_2022-09-16-15.06.pcapng
E:\Captures\2022-09-16-15\SRV1_PRI_2022-09-16-15.06.pcapng
"\Device\NPF_{3578AB86-0318-4116-818C-87BC171F2B6F}"
"\Device\NPF_Loopback"
dst net 10.49.94.0/24
dst net 10.56.128.0/25
Capturing on ' \Device\NPF_{3578AB86-0318-4116-818C-87BC171F2B6F} -f dst net 10.49.94.0/24 -a duration:300 -w E:\Captures\2022-09-16-15\SRV1_PUB_2022-09-16-15.06.pcapng'
Capturing on ' \Device\NPF_{34234H86-5488-5546-212C-57867G57FR2Y} -f dst net 10.56.128.0/25 -a duration:300 -w E:\Captures\2022-09-16-15\SRV1_PRI_2022-09-16-15.06.pcapng'
tshark: The capture session could not be initiated on interface ' \Device\NPF_{3578AB86-0318-4116-818C-87BC171F2B6F} -f dst net 10.49.94.0/24) -a duration:300 -w E:\Captures\2022-09-16-15\SRV1_PUB_2022-09-16-15.06.pcapng' (Error opening adapter: The filename, directory name, or volume label syntax is incorrect. (123)).
Please check that you have the proper interface or pipe specified.
0 packets captured
tshark: The capture session could not be initiated on interface ' \Device\NPF_{34234H86-5488-5546-212C-57867G57FR2Y} -f dst net 10.56.128.0/25 -a duration:300 -w E:\Captures\2022-09-16-15\SRV1_PRI_2022-09-16-15.06.pcapng' (Error opening adapter: The filename, directory name, or volume label syntax is incorrect. (123)).
Please check that you have the proper interface or pipe specified.
0 packets capture
Can Anyone help me?
CodePudding user response:
Somehow the arguments would have to be split into a list like:
$list1 = 1,2,3
$list2 = 4,5,6
$prog = 'echoargs'
$list1,$list2 | % { & $prog $_ }
Arg 0 is <1>
Arg 1 is <2>
Arg 2 is <3>
Arg 0 is <4>
Arg 1 is <5>
Arg 2 is <6>
Try it this way:
$list1 = '-i',$NicPub,'-f',$FilterPub,'-a',"duration:$FilterTimePub",'-w',$CptFilePub
$list2 = '-i',$NicPri,'-f',$FilterPri,'-a',"duration:$FilterTimePri",'-w',$CptFilePri
$CptCMDs = $list1,$list2
$CptCMDs | ForEach-Object -Parallel {
# ...