From cmd.exe, a variable for date/time (e.g. timestamp) could be useful:
realtd.cmd
@echo off
set realdate=%date:/=.%
set realdate=%realdate:* =%
set realtime=%time::=.%
set realtime=%realtime:* =%
set timestamp=%realdate%_%realtime%
From cmd.exe we can start the trace:
netsh trace start provider=Microsoft-Windows-Kernel-Network provider=Microsoft-Windows-Kernel-Process provider=Microsoft-Windows-Security-Auditing provider=Microsoft-Windows-Security-Netlogon provider=Microsoft-Windows-TCPIP persistent=yes traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace%timestamp%.etl
and stop the trace:
netsh trace stop
If we choose we can covert the trace with 'netsh' we can dump it to a text or csv dump with:
netsh trace convert input=NetTrace07.07.2011_1.38.09.40.etl output=NetTrace07.07.2011_1.38.09.40.txt dump=TXT
Next we can try parsing a particular provider from Powershell. Here I choose "Microsoft-Windows-TCPIP" provider. I adjust the screen buffer size to help 'format-table' catch all of the trace line:
$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(500,1000)
$Providers="Microsoft-Windows-TCPIP"
$FileName="NetTrace07.07.2011_1.38.09.40.etl"
foreach ($ProviderName in $Providers) {get-winevent -path "$FileName" -oldest | where {$_.ProviderName -eq "$ProviderName"} | ft TimeCreated, Message| out-file -encoding ASCII -file "$FileName$ProviderName.txt"}
I find I can not make GNUWin32 gawk work as advertised inside Powershell.
The following line does not work in Powershell:
## grep -i -w "remote" "$FileName$ProviderName.txt" | tr -s ' ' | gawk '{print $1" "$2" "$3","$4" "$5" "$6" "$7" "$8" "$9}' | out-file -encoding ASCII -append "$ProviderName.csv"
But this will work just fine in Cygwin:
grep -i -w "remote" NetTrace07.07.2011_1.38.09.40.etlMicrosoft-Windows-TCPIP.txt | tr -s ' ' | gawk '{print $1" "$2" "$3","$4" "$5" "$6" "$7" "$8" "$9}' >> NetTrace07.07.2011_1.38.09.40.etlMicrosoft-Windows-TCPIP.csv
and we are looking at a spreadsheet like this:
No comments:
Post a Comment