Ask Your Question
0

packet capture to CSV

asked 2020-04-03 14:29:43 +0000

KirtCaron gravatar image

updated 2020-04-12 21:46:11 +0000

I'm not sure if this is a wireshark or a powershell question but I thought I would try here first. I'm writing a script to pull information out of packets for CSV. When I manually run the code below (not in a function) I get the correct result, but ran in the function I'm missing the frame property.

frame        : 8717 438 bytes on wire (3504 bits), 438 bytes captured (3504 bits) on ...
Arrival Time : Mar 31, 2020 18:09:56.066209000 Eastern Daylight Time
Source       : 75.98.70.71
Destination  : 12.8.3.256
Cipher Suite : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Certificate0 : 308207b130820699a00302010202105416597b61d4b86d5c... (id-at-commonName=bea4.cnn.com, Communications,id-at-organizationalUnitName=Hosted by TURNER BROADCASTING...
CertExpires0 : 21-01-06 23:59:59
Certificate1 : 3082061930820401a0030201020210137d539caa7c31a9a4... (id-at-commonName=Sectigo RSA OSer,id-at-organizationName=Sectigo Limited,id-at-localityName=Salford,id-at-...
CertExpires1 : 30-12-31 23:59:59
Certificate2 : 308205773082045fa003020102021013ea28705bf4eced0c... (id-at-commonName=USERTrust RSAUSERTRUST Network,id-at-localityName=Jersey City,id-at-stateOrProvinceName=N...
CertExpires2 : 20-05-30 10:48:38

It's very odd that the frame column is missing. Any thoughts?

$CERTTEXT = .\tshark.exe -i 'Wi-Fi' -Y "ssl.handshake.certificate" -V -a duration:10
Function GetCertsFromWireSharkPackets4 ($CERTTEXT,$srch="^frame: \d+|^frame \d+:|Arrival Time:|Source:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Destination:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Session ID:|CommonName:|Certificate:|Cipher Suite:|CertExpires:|Source Port:|Destination Port:", $fltr1='Certificate=') {
$frames = [regex]::matches( (($certtext -replace "(?sim)Frame",'frame' -replace "frame (\d+)\:", 'frame: $1') -join "`n"), "(?sim)^frame \d+:.*?(?=^frame \d+:)|(?sim)^frame: \d+.*?(?=^frame: \d+)").value -replace '(^.*?):(.*)', '$1:$2'  #-replace '(.*?):(.*)', '$1=$2'
if(!$frames){ $frames = [regex]::matches(((($certtext+"`nframe: 00") -replace "(?sim)Frame",'frame' -replace "frame (\d+)\:", 'frame: $1') -join "`n"), "(?sim)^frame \d+:.*?(?=^frame \d+:)|(?sim)^frame: \d+.*?(?=^frame: \d+)").value -replace '(^.*?):(.*)', '$1:$2' }  #-replace '(.*?):(.*)', '$1=$2' 
foreach( $FramesWithCerts in ($Frames |?{$_ -match "Certificate:"}) ){
  $Props = ( ([regex]::match($FramesWithCerts, "(?sim).*?(?=Certificate:)").value).split(10) |?{$_ -match $srch} ).trim() -join "`n"
  $frameNumber = ("frameNumber: "+[regex]::match($Props,"(?sim)(?<=frame: ).*?(?= )").value +"`n")
  $ArrivalTime = ("Arrival Time: "+(get-date ([regex]::match($Props,"(?sim)(?<=Arrival Time: ).*?(?=$)").value).substring(0,30) -f "MM/dd/yyyy HH:mm:ss.fffffff") +"`n").trim()
  $Props = $frameNumber + $Props -replace "Arrival Time: .+", $ArrivalTime
  $x_Certs = 0
  foreach( $Cert in [regex]::matches( ($FramesWithCerts +"`nCertificate: "), "(?sim)Certificate:.*?(?=Certificate:)").value ){
    $CommonName = "`nCommonName: " + [regex]::match($Cert.split(10)[0], "(?sim)(?<=Certificate:.*?commonName=).*?(?=[,\)])").value
    $CertExpires = "`nCertExpires: " + ([regex]::match($Cert, "(?sim)(?<=Certificate:.*?validity.*?notAfter.*?utcTime: ).*?(?= \(UTC\))").value.trim() -replace "(.*?)-(.*?) (.*)", '$2-20$1 $3' -replace '-', '/')
    $CC = ( ($CommonName + "`n" + $Cert.split(10)[0] + $CertExpires ) -replace "Certificate:",("Certificate"+($x_Certs)+":") -replace "CertExpires:",("CertExpires"+($x_Certs)+":") -replace "CommonName:",("CommonName"+($x_Certs)+":") ).trim() -join "`n"
    $Props += ("`n"+$CC) ; $x_Certs += 1
  }
$x=1; $last ='';
$ValidP_V = ($Props.split(10) -replace '(.*?):(.*)', '$1=$2' |%{ $L=$_;$A=[regex]::match($_,"(?<=^).*?(?=\=)").value ; if($A -eq $last){'"'+($A+$X++)+'"="'+[regex]::matches($L,"(?<=\=).*?(?=$)").value.trim()+'"'} else {$last=$A ; $x=1 ; '"'+$L.replace('= ','"="')+'"'} }).trim() -join "`n"
$ExpText = "New-Object psobject -Property @{`n"+$ValidP_V+"`n}" ; $SelectProps = ($ValidP_V.split(10)|%{$_.split('=')[0]}) -join ','
$O=Invoke-Expression($ExpText) ; $SelectExp = ('$O | select '+$SelectProps) ; Invoke-Expression($SelectExp)
$props = ''
}}
edit retag flag offensive close merge delete

Comments

I did fix the issue. I couldn't find the last frame, nor last cert without adding an ending to the send of the large strings. ie frame: 0 and Certificate: I was able to add several properties and don't need to explictly declare them in my final select for property order.

KirtCaron gravatar imageKirtCaron ( 2020-04-12 21:48:35 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-04-05 10:54:46 +0000

grahamb gravatar image

updated 2020-04-05 10:57:15 +0000

That looks a bit ... ugly, so I set out to improve it and ran into a surprising number of PowerShell issues:

  1. There's no easy method to convert a hex string to a byte array So we need a helper function, e.g. Convert-HexToByte from https://www.powershellgallery.com/pac....
  2. Constructing an X509Certificate2 object with a byte array is tricky, hence the complicated argument list.

Here's my PowerShell:

# Using tshark, extract the certificate(s) to an array of hex strings.  Note the display filter to select frames with a cert and the fields specifier to only output those fields and all occurrences of the field in the frame separated by a comma.  The string "split" method is used to chop the output into an array of hex strings:

$h = (tshark -r input.pcapng -Y tls.handshake.certificate -T fields -e tls.handshake.certificate -E occurrence=a -E "separator=,").split(",")

# Create new X509Certificate2 objects from the hex strings

$c = $h | ForEach-Object { New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @(,[byte[]]$(Convert-HexToByte $_)) }

# Display the certs

$c
edit flag offensive delete link more

Comments

I like it. Didn't know you could reconstruct all details from the HEX string. I'll play around with that. I didn't think it gave a complete hex string.

KirtCaron gravatar imageKirtCaron ( 2020-04-12 21:44:03 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-03 14:29:43 +0000

Seen: 83 times

Last updated: Apr 12