packet capture to CSV
I'm not sure if this is a wireshark or a powershell question but I thought I would try here first. I'm writing a script to pull information out of packets for CSV. When I manually run the code below (not in a function) I get the correct result, but ran in the function I'm missing the frame property.
frame : 8717 438 bytes on wire (3504 bits), 438 bytes captured (3504 bits) on ...
Arrival Time : Mar 31, 2020 18:09:56.066209000 Eastern Daylight Time
Source : 75.98.70.71
Destination : 12.8.3.256
Cipher Suite : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Certificate0 : 308207b130820699a00302010202105416597b61d4b86d5c... (id-at-commonName=bea4.cnn.com, Communications,id-at-organizationalUnitName=Hosted by TURNER BROADCASTING...
CertExpires0 : 21-01-06 23:59:59
Certificate1 : 3082061930820401a0030201020210137d539caa7c31a9a4... (id-at-commonName=Sectigo RSA OSer,id-at-organizationName=Sectigo Limited,id-at-localityName=Salford,id-at-...
CertExpires1 : 30-12-31 23:59:59
Certificate2 : 308205773082045fa003020102021013ea28705bf4eced0c... (id-at-commonName=USERTrust RSAUSERTRUST Network,id-at-localityName=Jersey City,id-at-stateOrProvinceName=N...
CertExpires2 : 20-05-30 10:48:38
It's very odd that the frame column is missing. Any thoughts?
$CERTTEXT = .\tshark.exe -i 'Wi-Fi' -Y "ssl.handshake.certificate" -V -a duration:10
Function GetCertsFromWireSharkPackets4 ($CERTTEXT,$srch="^frame: \d+|^frame \d+:|Arrival Time:|Source:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Destination:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Session ID:|CommonName:|Certificate:|Cipher Suite:|CertExpires:|Source Port:|Destination Port:", $fltr1='Certificate=') {
$frames = [regex]::matches( (($certtext -replace "(?sim)Frame",'frame' -replace "frame (\d+)\:", 'frame: $1') -join "`n"), "(?sim)^frame \d+:.*?(?=^frame \d+:)|(?sim)^frame: \d+.*?(?=^frame: \d+)").value -replace '(^.*?):(.*)', '$1:$2' #-replace '(.*?):(.*)', '$1=$2'
if(!$frames){ $frames = [regex]::matches(((($certtext+"`nframe: 00") -replace "(?sim)Frame",'frame' -replace "frame (\d+)\:", 'frame: $1') -join "`n"), "(?sim)^frame \d+:.*?(?=^frame \d+:)|(?sim)^frame: \d+.*?(?=^frame: \d+)").value -replace '(^.*?):(.*)', '$1:$2' } #-replace '(.*?):(.*)', '$1=$2'
foreach( $FramesWithCerts in ($Frames |?{$_ -match "Certificate:"}) ){
$Props = ( ([regex]::match($FramesWithCerts, "(?sim).*?(?=Certificate:)").value).split(10) |?{$_ -match $srch} ).trim() -join "`n"
$frameNumber = ("frameNumber: "+[regex]::match($Props,"(?sim)(?<=frame: ).*?(?= )").value +"`n")
$ArrivalTime = ("Arrival Time: "+(get-date ([regex]::match($Props,"(?sim)(?<=Arrival Time: ).*?(?=$)").value).substring(0,30) -f "MM/dd/yyyy HH:mm:ss.fffffff") +"`n").trim()
$Props = $frameNumber + $Props -replace "Arrival Time: .+", $ArrivalTime
$x_Certs = 0
foreach( $Cert in [regex]::matches( ($FramesWithCerts +"`nCertificate: "), "(?sim)Certificate:.*?(?=Certificate:)").value ){
$CommonName = "`nCommonName: " + [regex]::match($Cert.split(10)[0], "(?sim)(?<=Certificate:.*?commonName=).*?(?=[,\)])").value
$CertExpires = "`nCertExpires: " + ([regex]::match($Cert, "(?sim)(?<=Certificate:.*?validity.*?notAfter.*?utcTime: ).*?(?= \(UTC\))").value.trim() -replace "(.*?)-(.*?) (.*)", '$2-20$1 $3' -replace '-', '/')
$CC = ( ($CommonName + "`n" + $Cert.split(10)[0] + $CertExpires ) -replace "Certificate:",("Certificate"+($x_Certs)+":") -replace "CertExpires:",("CertExpires"+($x_Certs)+":") -replace "CommonName:",("CommonName"+($x_Certs)+":") ).trim() -join "`n"
$Props += ("`n"+$CC) ; $x_Certs += 1
}
$x=1; $last ='';
$ValidP_V = ($Props.split(10) -replace '(.*?):(.*)', '$1=$2' |%{ $L=$_;$A=[regex]::match($_,"(?<=^).*?(?=\=)").value ; if($A -eq $last){'"'+($A+$X++)+'"="'+[regex]::matches($L,"(?<=\=).*?(?=$)").value.trim()+'"'} else {$last=$A ; $x=1 ; '"'+$L.replace('= ','"="')+'"'} }).trim() -join "`n"
$ExpText = "New-Object psobject -Property @{`n"+$ValidP_V+"`n}" ; $SelectProps = ($ValidP_V.split(10)|%{$_.split('=')[0]}) -join ','
$O=Invoke-Expression($ExpText) ; $SelectExp = ('$O | select '+$SelectProps) ; Invoke-Expression($SelectExp)
$props = ''
}}
I did fix the issue. I couldn't find the last frame, nor last cert without adding an ending to the send of the large strings. ie frame: 0 and Certificate: I was able to add several properties and don't need to explictly declare them in my final select for property order.