Home > Blockchain >  Tshark captures on remote server with foreach -parallel loop on powershell
Tshark captures on remote server with foreach -parallel loop on powershell

Time:09-18

I'm traing to start 2 remote packet captures at same time on a winServer2016 with two nics, with tshark 3.4.5 and powershell 7.2.1.

The problem is that I can't found the correct sintax to pass variables to tshark...

$ScriptPath = "E:\CC12\Scripts\TShark"
$dateForDirLogs = (Get-Date).ToString('yyyy-MM-dd-HH')
$dateForLogs = (Get-Date).ToString('yyyy-MM-dd-HH.mm')
$logDir = "$ScriptPath\Logs"

$MyServer = "SRV1"
$LogFile = "$logDir\$($MyServer)_$($dateForLogs).txt"

$MySession = New-PSSession $MyServer -ConfigurationName PowerShell.7.2.1
Invoke-Command -Session $MySession -ScriptBlock {
        $CptPathName = "E:\Captures\$using:dateForDirLogs"
        $JobLogFile = "$CptPathName\RmJobsLog.txt"
        $HName = $using:MyServer
        $CptFilePub = "$CptPathName\$($HName)_PUB_$using:dateForLogs.pcapng"
        $CptFilePri = "$CptPathName\$($HName)_PRI_$using:dateForLogs.pcapng"
        $TsharkBin = "C:\Program Files\Wireshark\tshark.exe"
        [string]$NicPub = & $TsharkBin -D | Select-String "Public"
        $ifNumPub = $NicPub.Split("\")[0]
        $NicPub = $NicPub.Replace($ifNumPub,'')
        $NicPub = $NicPub.Replace(' (Public)','')
        [string]$NicPri = & $TsharkBin -D | Select-String "Private"
        $ifNumPri = $NicPri.Split("\")[0]
        $NicPri = $NicPri.Replace($ifNumPri,'')
        $NicPri = $NicPri.Replace(' (Private)','')
        $FilterPub = "dst net 10.49.94.0/24"
        $FilterTimePub = 300
        $FilterSizePub = 307200
        $FilterPri = "dst net 10.56.128.0/25"
        $FilterTimePri = 300
        $FilterSizePri = 307200
        # echo variables
        $CptPathName
        $JobLogFile
        $HName
        $CptFilePub
        $CptFilePri
        $NicPub
        $NicPri
        $FilterPub
        $FilterPri
        
        $CptCMDs = @(
        "-i $NicPub -f $FilterPub -a duration:$FilterTimePub -w $CptFilePub"
        "-i $NicPri -f $FilterPri -a duration:$FilterTimePri -w $CptFilePri"
        )
        
        $CptCMDs | ForEach-Object -Parallel {
            $TsharkBin = "C:\Program Files\Wireshark\tshark.exe"
            & $TsharkBin $_
            } -ThrottleLimit 2
            
}

I've tried to quoting the "qoutes" like that, but doesn't works:

$NicPub = "`"$NicPub`""

Seems that tshark reads the $CptCMDs as a single parameter the interface name! Seems skips its commands switch...

This is the output, if I ran the script interactively:

E:\Captures\2022-09-16-15
E:\Captures\2022-09-16-15\RmJobsLog.txt
SRV1
E:\Captures\2022-09-16-15\SRV1_PUB_2022-09-16-15.06.pcapng
E:\Captures\2022-09-16-15\SRV1_PRI_2022-09-16-15.06.pcapng
"\Device\NPF_{3578AB86-0318-4116-818C-87BC171F2B6F}"
"\Device\NPF_Loopback"
dst net 10.49.94.0/24
dst net 10.56.128.0/25
Capturing on ' \Device\NPF_{3578AB86-0318-4116-818C-87BC171F2B6F} -f dst net 10.49.94.0/24 -a duration:300 -w E:\Captures\2022-09-16-15\SRV1_PUB_2022-09-16-15.06.pcapng'
Capturing on ' \Device\NPF_{34234H86-5488-5546-212C-57867G57FR2Y} -f dst net 10.56.128.0/25 -a duration:300 -w E:\Captures\2022-09-16-15\SRV1_PRI_2022-09-16-15.06.pcapng'
tshark: The capture session could not be initiated on interface ' \Device\NPF_{3578AB86-0318-4116-818C-87BC171F2B6F} -f dst net 10.49.94.0/24) -a duration:300 -w E:\Captures\2022-09-16-15\SRV1_PUB_2022-09-16-15.06.pcapng' (Error opening adapter: The filename, directory name, or volume label syntax is incorrect.  (123)).
Please check that you have the proper interface or pipe specified.
0 packets captured
tshark: The capture session could not be initiated on interface ' \Device\NPF_{34234H86-5488-5546-212C-57867G57FR2Y} -f dst net 10.56.128.0/25 -a duration:300 -w E:\Captures\2022-09-16-15\SRV1_PRI_2022-09-16-15.06.pcapng' (Error opening adapter: The filename, directory name, or volume label syntax is incorrect.  (123)).
Please check that you have the proper interface or pipe specified.
0 packets capture

Can Anyone help me?

CodePudding user response:

Somehow the arguments would have to be split into a list like:

$list1 = 1,2,3
$list2 = 4,5,6
$prog = 'echoargs'
$list1,$list2 | % { & $prog $_ } 


Arg 0 is <1>
Arg 1 is <2>
Arg 2 is <3>

Arg 0 is <4>
Arg 1 is <5>
Arg 2 is <6>

Try it this way:

$list1 = '-i',$NicPub,'-f',$FilterPub,'-a',"duration:$FilterTimePub",'-w',$CptFilePub
$list2 = '-i',$NicPri,'-f',$FilterPri,'-a',"duration:$FilterTimePri",'-w',$CptFilePri
$CptCMDs = $list1,$list2
$CptCMDs | ForEach-Object -Parallel {
# ...
  • Related