# ============================================================================================== # # Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2007 # # NAME: Analyze-Packet.ps1 # # AUTHOR: Jeffery Hicks , SAPIEN Technologies # DATE : 7/9/2008 # # COMMENT: This script is used to analyze a saved network trace created with # my version of Get-Packet. See http://blog.sapien.com/index.php/2008/07/10/get-packet # # Save your trace to a variable: # $sniff=c:\scripts\get-packet.ps1 # # Pass that variable as a parameter to this script. I recommend saving the results to # a variable since this script may take several minutes or longer run depending on the # size of your trace. # $report=c:\scripts\Analyze-packet.ps1 $sniff # ============================================================================================== Param([object]$sniff) $activity="Analyzing network trace" Write-Progress -Activity $activity -status "Counting packets" -percentcomplete 1 $count = "Total packet count: {0}" -f $sniff.count Write-Progress -Activity $activity -status "Calculating elapsed time" -percentcomplete 5 $elapsed = "Total elapsed time: {0}" -f ($sniff[-1].time -$sniff[0].time).ToString() #calculate packets per second $pps = $sniff.count/(($sniff[-1].time -$sniff[0].time).totalseconds) $pps="{0:N4}" -f $pps $packetsPerSecond="Packets per second: $pps" Write-Progress -Activity $activity -status "Calculating protocol distribution" -percentcomplete 20 $protocols = $sniff | sort protocol | group protocol | sort count -descending | select Count,@{name="Protocol";Expression={$_.name}} Write-Progress -Activity $activity -status "Building source list" -percentcomplete 30 $sourcelist = $sniff | sort source | select Source Write-Progress -Activity $activity -status "Calculating source distribution" -percentcomplete 35 $ips = $sourcelist| group source |sort count -descending | select Count,Name $sources=@() #turn off errors to prevent the script from halting if an IP can't be resolved $errorActionPreference="SilentlyContinue" for ($i=0;$i -lt $ips.count;$i++) { Write-Progress -Activity $activity -status "Resolving Source IP addresses" -currentoperation $ips[$i].name -percentcomplete (($i/$ips.count)*100) $obj=New-Object PSObject $resolved=[system.Net.dns]::getHostEntry($ips[$i].Name).hostName if (!$resolved) { $resolved="Not Found" } $obj | Add-Member -MemberType Noteproperty -name "Count" -value $ips[$i].Count $obj | Add-Member -MemberType Noteproperty -name "IP" -value $ips[$i].name $obj | Add-Member -MemberType Noteproperty -name "Host" -value $resolved $sources+=$obj } #turn error pipeline back on $errorActionPreference="Continue" Write-Progress -Activity $activity -status "Calculating source port distribution" -percentcomplete 40 $sourceport = $sniff | sort sourceport | group sourceport |sort count -descending | select Count,@{name="Port";Expression={$_.name}} Write-Progress -Activity $activity -status "Calculating destination distribution" -percentcomplete 50 $destinations = $sniff | sort destination | group destination | sort count -descending | select Count,@{name="IP";Expression={$_.name}} Write-Progress -Activity $activity -status "Calculating destination port distribution" -percentcomplete 60 $destinationport = $sniff | sort destport | group destport |sort count -descending | select Count,@{name="Port";Expression={$_.name}} Write-Progress -Activity $activity -status "Presenting data" -Completed $True -percentcomplete 100 #write results write "NETWORK TRACE ANALYSIS" write ("-" * 50) write `t write $count write $elapsed write $packetsPerSecond write `t write "PROTOCOLS" $protocols | Select Count,Protocol,@{Name="Percentage";Expression={"{0:P4}" -f ($_.count/$sniff.count)}} write "DESTINATION IP" $destinations | Select Count,IP,@{Name="Percentage";Expression={"{0:P4}" -f ($_.count/$sniff.count)}} write "DESTINATION PORTS" $destinationport | select Count,Port,@{Name="Percentage";Expression={"{0:P4}" -f ($_.count/$sniff.count)}} write "SOURCE IP" $sources | Select Count,IP,Host,@{Name="Percentage";Expression={"{0:P4}" -f ($_.count/$sniff.count)}} write "SOURCE PORTS" $sourceport | Select Count,Port,@{Name="Percentage";Expression={"{0:P4}" -f ($_.count/$sniff.count)}}