I'm not sure if this is a wireshark or a powershell question but I thought I would try here first. I'm writing a script to pull information out of packets for CSV. When I manually run the code below (not in a function) I get the correct result, but ran in the function I'm missing the frame property.
frame : 8717 438 bytes on wire (3504 bits), 438 bytes captured (3504 bits) on interface 0
Arrival Time : Mar 31, 2020 18:09:56.066209000 Eastern Daylight Time
Source : 75.98.70.71
Destination : 12.8.3.256
Cipher Suite : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Certificate0 : 308207b130820699a00302010202105416597b61d4b86d5c... (id-at-commonName=bea4.cnn.com,
Communications,id-at-organizationalUnitName=Hosted by TURNER BROADCASTING SYST,id-a
CertExpires0 : 21-01-06 23:59:59
Certificate1 : 3082061930820401a0030201020210137d539caa7c31a9a4... (id-at-commonName=Sectigo RSA O
Ser,id-at-organizationName=Sectigo Limited,id-at-localityName=Salford,id-at-stateOr
CertExpires1 : 30-12-31 23:59:59
Certificate2 : 308205773082045fa003020102021013ea28705bf4eced0c... (id-at-commonName=USERTrust RSA
USERTRUST Network,id-at-localityName=Jersey City,id-at-stateOrProvinceName=New Jers
CertExpires2 : 20-05-30 10:48:38
It's very odd that the frame column is missing. Any thoughts?
$CERTTEXT = .\tshark.exe -i 'Wi-Fi' -Y "ssl.handshake.certificate" -V -a duration:10
Function GetCertsFromWireSharkPackets4 ($CERTTEXT,$srch="^frame \d+:\[frame:|Arrival Time:|Source:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Destination:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Certificate:|Cipher Suite:|CertExpires:", $fltr1='Certificate=') {
$frames = [regex]::matches($certtext, "(?sim)^frame \d+:.*?(?=^frame \d+:)").value -replace "frame (\d+)\:", 'frame:$1' -replace '(^.*?):(.*)', '$1: $2' #-replace '(.*?):(.*)', '$1=$2'
$Objs=@()
foreach( $FramesWithCerts in ($Frames |?{$_ -match "Certificate:"}) ){
$Props = ( ([regex]::match($FramesWithCerts, "(?sim).*?(?=Certificate:)").value).split(10) |?{$_ -match $srch} ).trim() -join "`n"
$x_Certs = 0
foreach( $Cert in [regex]::matches($FramesWithCerts, "(?sim)Certificate:.*?(?=Certificate:)").value ){
$CC = ( ( "`n" + $Cert.split(10)[0] + "`nCertExpires: "+ ([regex]::matches($Cert, "(?sim)(?<=Certificate:.*?validity.*?notAfter.*?utcTime: ).*?(?= \(UTC\))").value.trim()) ) -replace "Certificate:",("Certificate"+($x_Certs)+":") -replace "CertExpires:",("CertExpires"+($x_Certs)+":") ).trim() -join "`n"
$Props += ("`n"+$CC) ; $x_Certs += 1
}
$x=1; $last ='';
$ValidP_V = ($Props.split(10) -replace '(.*?):(.*)', '$1=$2' |%{ $L=$_;$A=[regex]::match($_,"(?<=^).*?(?=\=)").value ; if($A -eq $last){'"'+($A+$X++)+'"="'+[regex]::matches($L,"(?<=\=).*?(?=$)").value.trim()+'"'} else {$last=$A ; $x=1 ; '"'+$L.replace('= ','"="')+'"'} }).trim() -join "`n"
$ExpText = "New-Object psobject -Property @{`n"+$ValidP_V+"`n}"
$Objs += Invoke-Expression($ExpText) | select Frame, 'Arrival Time', Source, Destination, 'Cipher Suite', Certificate0, CertExpires0, Certificate1, CertExpires1, Certificate2, CertExpires2, Certificate3, CertExpires3
} $Objs }