I’ve posted an updated version of my Get-Packet Powershell packet sniffer script. It is still completely standalone (it doesn’t require any additional software to run). New features include:
- Added IP Version field
- TCP flags are now stored in an array
- New switch added to resolve IPs to hostnames
- ESC key will cleanly exit the script
- New switch added to generate statistics
.NET includes a method to resolve IPs to Hostnames in [System.Net.Dns]::GetHostByName(), but if the lookup fails, then there is a 5 second delay that forces the script to pause execution. I instead chose to scrape the output of nslookup since it returns much quicker. To further decrease processing time, I cache the results in a hashtable so multiple calls to nslookup for the same host are not needed.
Using the -Statistics switch will cause the script to generate statistics after the ESC key is pressed to stop the trace. Most of the statistics code was borrowed from Jeffery Hicks’s Analyze-Packet script. A few basic stats will be printed to the screen with write-host, but the bulk of the data will be stored in a global $stats variable that you can access after the script has exited. This isn’t how features would normally be implemented in cmdlets (they would be separate cmdlets), but I figured it would be ok in a script, and I have found the integration to be pretty convenient.
I had looked at adding IPv6 support, but design limitations in Windows prevented me from being able to access the raw IPv6 header. See my earlier blog post for more details. I also looked at adding the ability to save the capture in libpcap format, but I’m not getting the raw IP frame, so the data wouldn’t be as complete as a capture done in something like Wireshark.
Anyway, I hope you enjoy the new features! Let me know in the comments if you would like to see any other features added.
- EDIT: If you’re on Vista, you might need to disable the firewall to see TCP packets. Not sure why yet. :)
- EDIT #2: Found out why. Add powershell.exe as an allowed application. (duh) :)