Ask Your Question

Revision history [back]

packet capture to CSV

I'm not sure if this is a wireshark or a powershell question but I thought I would try here first. I'm writing a script to pull information out of packets for CSV. When I manually run the code below (not in a function) I get the correct result, but ran in the function I'm missing the frame property.

frame        : 8717 438 bytes on wire (3504 bits), 438 bytes captured (3504 bits) on interface 0
Arrival Time : Mar 31, 2020 18:09:56.066209000 Eastern Daylight Time
Source       : 75.98.70.71
Destination  : 12.8.3.256
Cipher Suite : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Certificate0 : 308207b130820699a00302010202105416597b61d4b86d5c... (id-at-commonName=bea4.cnn.com,
               Communications,id-at-organizationalUnitName=Hosted by TURNER BROADCASTING SYST,id-a
CertExpires0 : 21-01-06 23:59:59
Certificate1 : 3082061930820401a0030201020210137d539caa7c31a9a4... (id-at-commonName=Sectigo RSA O
               Ser,id-at-organizationName=Sectigo Limited,id-at-localityName=Salford,id-at-stateOr
CertExpires1 : 30-12-31 23:59:59
Certificate2 : 308205773082045fa003020102021013ea28705bf4eced0c... (id-at-commonName=USERTrust RSA
               USERTRUST Network,id-at-localityName=Jersey City,id-at-stateOrProvinceName=New Jers
CertExpires2 : 20-05-30 10:48:38

It's very odd that the frame column is missing. Any thoughts?

$CERTTEXT = .\tshark.exe -i 'Wi-Fi' -Y "ssl.handshake.certificate" -V -a duration:10

Function GetCertsFromWireSharkPackets4 ($CERTTEXT,$srch="^frame \d+:\[frame:|Arrival Time:|Source:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Destination:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Certificate:|Cipher Suite:|CertExpires:", $fltr1='Certificate=') {
$frames = [regex]::matches($certtext, "(?sim)^frame \d+:.*?(?=^frame \d+:)").value -replace "frame (\d+)\:", 'frame:$1' -replace '(^.*?):(.*)', '$1: $2'  #-replace '(.*?):(.*)', '$1=$2'
$Objs=@()
foreach( $FramesWithCerts in ($Frames |?{$_ -match "Certificate:"}) ){
  $Props = ( ([regex]::match($FramesWithCerts, "(?sim).*?(?=Certificate:)").value).split(10) |?{$_ -match $srch} ).trim() -join "`n"
  $x_Certs = 0
  foreach( $Cert in [regex]::matches($FramesWithCerts, "(?sim)Certificate:.*?(?=Certificate:)").value ){
    $CC = ( ( "`n" + $Cert.split(10)[0] + "`nCertExpires: "+ ([regex]::matches($Cert, "(?sim)(?<=Certificate:.*?validity.*?notAfter.*?utcTime: ).*?(?= \(UTC\))").value.trim()) ) -replace "Certificate:",("Certificate"+($x_Certs)+":") -replace "CertExpires:",("CertExpires"+($x_Certs)+":") ).trim() -join "`n"
    $Props += ("`n"+$CC) ; $x_Certs += 1
  }
$x=1; $last =''; 
$ValidP_V = ($Props.split(10) -replace '(.*?):(.*)', '$1=$2' |%{ $L=$_;$A=[regex]::match($_,"(?<=^).*?(?=\=)").value ; if($A -eq $last){'"'+($A+$X++)+'"="'+[regex]::matches($L,"(?<=\=).*?(?=$)").value.trim()+'"'} else {$last=$A ; $x=1 ; '"'+$L.replace('= ','"="')+'"'} }).trim() -join "`n" 
$ExpText = "New-Object psobject -Property @{`n"+$ValidP_V+"`n}" 
$Objs += Invoke-Expression($ExpText) | select Frame, 'Arrival Time', Source, Destination, 'Cipher Suite', Certificate0, CertExpires0, Certificate1, CertExpires1, Certificate2, CertExpires2, Certificate3, CertExpires3
} $Objs }

packet capture to CSV

I'm not sure if this is a wireshark or a powershell question but I thought I would try here first. I'm writing a script to pull information out of packets for CSV. When I manually run the code below (not in a function) I get the correct result, but ran in the function I'm missing the frame property.

frame        : 8717 438 bytes on wire (3504 bits), 438 bytes captured (3504 bits) on interface 0
...
Arrival Time : Mar 31, 2020 18:09:56.066209000 Eastern Daylight Time
Source       : 75.98.70.71
Destination  : 12.8.3.256
Cipher Suite : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Certificate0 : 308207b130820699a00302010202105416597b61d4b86d5c... (id-at-commonName=bea4.cnn.com,
               (id-at-commonName=bea4.cnn.com, Communications,id-at-organizationalUnitName=Hosted by TURNER BROADCASTING SYST,id-a
BROADCASTING...
CertExpires0 : 21-01-06 23:59:59
Certificate1 : 3082061930820401a0030201020210137d539caa7c31a9a4... (id-at-commonName=Sectigo RSA O
               Ser,id-at-organizationName=Sectigo Limited,id-at-localityName=Salford,id-at-stateOr
OSer,id-at-organizationName=Sectigo Limited,id-at-localityName=Salford,id-at-...
CertExpires1 : 30-12-31 23:59:59
Certificate2 : 308205773082045fa003020102021013ea28705bf4eced0c... (id-at-commonName=USERTrust RSA
               USERTRUST RSAUSERTRUST Network,id-at-localityName=Jersey City,id-at-stateOrProvinceName=New Jers
City,id-at-stateOrProvinceName=N...
CertExpires2 : 20-05-30 10:48:38

It's very odd that the frame column is missing. Any thoughts?

$CERTTEXT = .\tshark.exe -i 'Wi-Fi' -Y "ssl.handshake.certificate" -V -a duration:10

Function GetCertsFromWireSharkPackets4 ($CERTTEXT,$srch="^frame \d+:\[frame:|Arrival Time:|Source:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Destination:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Certificate:|Cipher Suite:|CertExpires:", $fltr1='Certificate=') {
$frames = [regex]::matches($certtext, "(?sim)^frame \d+:.*?(?=^frame \d+:)").value -replace "frame (\d+)\:", 'frame:$1' -replace '(^.*?):(.*)', '$1: $2'  #-replace '(.*?):(.*)', '$1=$2'
$Objs=@()
foreach( $FramesWithCerts in ($Frames |?{$_ -match "Certificate:"}) ){
  $Props = ( ([regex]::match($FramesWithCerts, "(?sim).*?(?=Certificate:)").value).split(10) |?{$_ -match $srch} ).trim() -join "`n"
  $x_Certs = 0
  foreach( $Cert in [regex]::matches($FramesWithCerts, "(?sim)Certificate:.*?(?=Certificate:)").value ){
    $CC = ( ( "`n" + $Cert.split(10)[0] + "`nCertExpires: "+ ([regex]::matches($Cert, "(?sim)(?<=Certificate:.*?validity.*?notAfter.*?utcTime: ).*?(?= \(UTC\))").value.trim()) ) -replace "Certificate:",("Certificate"+($x_Certs)+":") -replace "CertExpires:",("CertExpires"+($x_Certs)+":") ).trim() -join "`n"
    $Props += ("`n"+$CC) ; $x_Certs += 1
  }
$x=1; $last =''; 
$ValidP_V = ($Props.split(10) -replace '(.*?):(.*)', '$1=$2' |%{ $L=$_;$A=[regex]::match($_,"(?<=^).*?(?=\=)").value ; if($A -eq $last){'"'+($A+$X++)+'"="'+[regex]::matches($L,"(?<=\=).*?(?=$)").value.trim()+'"'} else {$last=$A ; $x=1 ; '"'+$L.replace('= ','"="')+'"'} }).trim() -join "`n" 
$ExpText = "New-Object psobject -Property @{`n"+$ValidP_V+"`n}" 
$Objs += Invoke-Expression($ExpText) | select Frame, 'Arrival Time', Source, Destination, 'Cipher Suite', Certificate0, CertExpires0, Certificate1, CertExpires1, Certificate2, CertExpires2, Certificate3, CertExpires3
} $Objs }

packet capture to CSV

I'm not sure if this is a wireshark or a powershell question but I thought I would try here first. I'm writing a script to pull information out of packets for CSV. When I manually run the code below (not in a function) I get the correct result, but ran in the function I'm missing the frame property.

frame        : 8717 438 bytes on wire (3504 bits), 438 bytes captured (3504 bits) on ...
Arrival Time : Mar 31, 2020 18:09:56.066209000 Eastern Daylight Time
Source       : 75.98.70.71
Destination  : 12.8.3.256
Cipher Suite : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Certificate0 : 308207b130820699a00302010202105416597b61d4b86d5c... (id-at-commonName=bea4.cnn.com, Communications,id-at-organizationalUnitName=Hosted by TURNER BROADCASTING...
CertExpires0 : 21-01-06 23:59:59
Certificate1 : 3082061930820401a0030201020210137d539caa7c31a9a4... (id-at-commonName=Sectigo RSA OSer,id-at-organizationName=Sectigo Limited,id-at-localityName=Salford,id-at-...
CertExpires1 : 30-12-31 23:59:59
Certificate2 : 308205773082045fa003020102021013ea28705bf4eced0c... (id-at-commonName=USERTrust RSAUSERTRUST Network,id-at-localityName=Jersey City,id-at-stateOrProvinceName=N...
CertExpires2 : 20-05-30 10:48:38

It's very odd that the frame column is missing. Any thoughts?

$CERTTEXT = .\tshark.exe -i 'Wi-Fi' -Y "ssl.handshake.certificate" -V -a duration:10

Function GetCertsFromWireSharkPackets4 ($CERTTEXT,$srch="^frame \d+:\[frame:|Arrival Time:|Source:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Destination:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Certificate:|Cipher Suite:|CertExpires:", $fltr1='Certificate=') {
$frames = [regex]::matches($certtext, "(?sim)^frame \d+:.*?(?=^frame \d+:)").value -replace "frame (\d+)\:", 'frame:$1' -replace '(^.*?):(.*)', '$1: $2'  #-replace '(.*?):(.*)', '$1=$2'
 $Objs=@()
foreach( $FramesWithCerts in ($Frames |?{$_ -match "Certificate:"}) ){
  $Props = ( ([regex]::match($FramesWithCerts, "(?sim).*?(?=Certificate:)").value).split(10) |?{$_ -match $srch} ).trim() -join "`n"
  $x_Certs = 0
  foreach( $Cert in [regex]::matches($FramesWithCerts, "(?sim)Certificate:.*?(?=Certificate:)").value ){
    $CC = ( ( "`n" + $Cert.split(10)[0] + "`nCertExpires: "+ ([regex]::matches($Cert, "(?sim)(?<=Certificate:.*?validity.*?notAfter.*?utcTime: ).*?(?= \(UTC\))").value.trim()) ) -replace "Certificate:",("Certificate"+($x_Certs)+":") -replace "CertExpires:",("CertExpires"+($x_Certs)+":") ).trim() -join "`n"
    $Props += ("`n"+$CC) ; $x_Certs += 1
  }
$x=1; $last =''; 
$ValidP_V = ($Props.split(10) -replace '(.*?):(.*)', '$1=$2' |%{ $L=$_;$A=[regex]::match($_,"(?<=^).*?(?=\=)").value ; if($A -eq $last){'"'+($A+$X++)+'"="'+[regex]::matches($L,"(?<=\=).*?(?=$)").value.trim()+'"'} else {$last=$A ; $x=1 ; '"'+$L.replace('= ','"="')+'"'} }).trim() -join "`n" 
$ExpText = "New-Object psobject -Property @{`n"+$ValidP_V+"`n}" 
$Objs += Invoke-Expression($ExpText) | select Frame, 'Arrival Time', Source, Destination, 'Cipher Suite', Certificate0, CertExpires0, Certificate1, CertExpires1, Certificate2, CertExpires2, Certificate3, CertExpires3
} $Objs }

packet capture to CSV

I'm not sure if this is a wireshark or a powershell question but I thought I would try here first. I'm writing a script to pull information out of packets for CSV. When I manually run the code below (not in a function) I get the correct result, but ran in the function I'm missing the frame property.

frame        : 8717 438 bytes on wire (3504 bits), 438 bytes captured (3504 bits) on ...
Arrival Time : Mar 31, 2020 18:09:56.066209000 Eastern Daylight Time
Source       : 75.98.70.71
Destination  : 12.8.3.256
Cipher Suite : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Certificate0 : 308207b130820699a00302010202105416597b61d4b86d5c... (id-at-commonName=bea4.cnn.com, Communications,id-at-organizationalUnitName=Hosted by TURNER BROADCASTING...
CertExpires0 : 21-01-06 23:59:59
Certificate1 : 3082061930820401a0030201020210137d539caa7c31a9a4... (id-at-commonName=Sectigo RSA OSer,id-at-organizationName=Sectigo Limited,id-at-localityName=Salford,id-at-...
CertExpires1 : 30-12-31 23:59:59
Certificate2 : 308205773082045fa003020102021013ea28705bf4eced0c... (id-at-commonName=USERTrust RSAUSERTRUST Network,id-at-localityName=Jersey City,id-at-stateOrProvinceName=N...
CertExpires2 : 20-05-30 10:48:38

It's very odd that the frame column is missing. Any thoughts?

$CERTTEXT = .\tshark.exe -i 'Wi-Fi' -Y "ssl.handshake.certificate" -V -a duration:10
 Function GetCertsFromWireSharkPackets4 ($CERTTEXT,$srch="^frame \d+:\[frame:|Arrival Time:|Source:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Destination:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Certificate:|Cipher Suite:|CertExpires:", ($CERTTEXT,$srch="^frame: \d+|^frame \d+:|Arrival Time:|Source:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Destination:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Session ID:|CommonName:|Certificate:|Cipher Suite:|CertExpires:|Source Port:|Destination Port:", $fltr1='Certificate=') {
$frames = [regex]::matches($certtext, [regex]::matches( (($certtext -replace "(?sim)Frame",'frame' -replace "frame (\d+)\:", 'frame: $1') -join "`n"), "(?sim)^frame \d+:.*?(?=^frame \d+:)").value \d+:)|(?sim)^frame: \d+.*?(?=^frame: \d+)").value -replace '(^.*?):(.*)', '$1:$2'  #-replace '(.*?):(.*)', '$1=$2'
if(!$frames){ $frames = [regex]::matches(((($certtext+"`nframe: 00") -replace "(?sim)Frame",'frame' -replace "frame (\d+)\:", 'frame:$1' 'frame: $1') -join "`n"), "(?sim)^frame \d+:.*?(?=^frame \d+:)|(?sim)^frame: \d+.*?(?=^frame: \d+)").value -replace '(^.*?):(.*)', '$1: $2' 
$Objs=@()
'$1:$2' }  #-replace '(.*?):(.*)', '$1=$2' 
foreach( $FramesWithCerts in ($Frames |?{$_ -match "Certificate:"}) ){
  $Props = ( ([regex]::match($FramesWithCerts, "(?sim).*?(?=Certificate:)").value).split(10) |?{$_ -match $srch} ).trim() -join "`n"
  $frameNumber = ("frameNumber: "+[regex]::match($Props,"(?sim)(?<=frame: ).*?(?= )").value +"`n")
  $ArrivalTime = ("Arrival Time: "+(get-date ([regex]::match($Props,"(?sim)(?<=Arrival Time: ).*?(?=$)").value).substring(0,30) -f "MM/dd/yyyy HH:mm:ss.fffffff") +"`n").trim()
  $Props = $frameNumber + $Props -replace "Arrival Time: .+", $ArrivalTime
  $x_Certs = 0
  foreach( $Cert in [regex]::matches($FramesWithCerts, [regex]::matches( ($FramesWithCerts +"`nCertificate: "), "(?sim)Certificate:.*?(?=Certificate:)").value ){
    $CC = ( ( "`n" + $Cert.split(10)[0] + $CommonName = "`nCommonName: " + [regex]::match($Cert.split(10)[0], "(?sim)(?<=Certificate:.*?commonName=).*?(?=[,\)])").value
    $CertExpires = "`nCertExpires: "+ ([regex]::matches($Cert, " + ([regex]::match($Cert, "(?sim)(?<=Certificate:.*?validity.*?notAfter.*?utcTime: ).*?(?= \(UTC\))").value.trim()) \(UTC\))").value.trim() -replace "(.*?)-(.*?) (.*)", '$2-20$1 $3' -replace '-', '/')
    $CC = ( ($CommonName + "`n" + $Cert.split(10)[0] + $CertExpires ) -replace "Certificate:",("Certificate"+($x_Certs)+":") -replace "CertExpires:",("CertExpires"+($x_Certs)+":") -replace "CommonName:",("CommonName"+($x_Certs)+":") ).trim() -join "`n"
    $Props += ("`n"+$CC) ; $x_Certs += 1
  }
$x=1; $last =''; 
='';
$ValidP_V = ($Props.split(10) -replace '(.*?):(.*)', '$1=$2' |%{ $L=$_;$A=[regex]::match($_,"(?<=^).*?(?=\=)").value ; if($A -eq $last){'"'+($A+$X++)+'"="'+[regex]::matches($L,"(?<=\=).*?(?=$)").value.trim()+'"'} else {$last=$A ; $x=1 ; '"'+$L.replace('= ','"="')+'"'} }).trim() -join "`n" 
"`n"
$ExpText = "New-Object psobject -Property @{`n"+$ValidP_V+"`n}" 
$Objs += Invoke-Expression($ExpText) ; $SelectProps = ($ValidP_V.split(10)|%{$_.split('=')[0]}) -join ','
$O=Invoke-Expression($ExpText) ; $SelectExp = ('$O | select Frame, 'Arrival Time', Source, Destination, 'Cipher Suite', Certificate0, CertExpires0, Certificate1, CertExpires1, Certificate2, CertExpires2, Certificate3, CertExpires3
} $Objs }
'+$SelectProps) ; Invoke-Expression($SelectExp)
$props = ''
}}