{"id":53963,"date":"2009-04-15T23:13:00","date_gmt":"2009-04-15T23:13:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/04\/15\/hey-scripting-guy-how-can-i-see-which-packets-are-being-dropped-by-windows-firewall\/"},"modified":"2009-04-15T23:13:00","modified_gmt":"2009-04-15T23:13:00","slug":"hey-scripting-guy-how-can-i-see-which-packets-are-being-dropped-by-windows-firewall","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-see-which-packets-are-being-dropped-by-windows-firewall\/","title":{"rendered":"Hey, Scripting Guy! How Can I See Which Packets Are Being Dropped by Windows Firewall?"},"content":{"rendered":"

\"Hey, <\/H2>\n

Hey, Scripting Guy! I love the Windows Firewall. I think it is really cool. The fact that it is a low-maintenance tool is sweet, but every once in a while, I would like to look over the log files and see what is going on. In particularly, I want to know about what packets are being dropped by the firewall. Can you help me?

– DC<\/P>\"Spacer\"\"Hey, \n

Hi DC,<\/P>\n

Did you ever have someone try to help you out, and in the end they caused you more work than if they hadn\u2019t \u201chelped\u201d? Windows Firewall is kind of like that helpful friend. It tries to hide some of the details. Luckily, all you need to do is remember that you first need to enable Windows Firewall logging. This is seen in the image just below.<\/P>\n\n<\/THEAD>\n\n\n
\n

This week we are focusing on regular expressions. There are some VBScript examples in the Script Center<\/A>. Here is a good introduction<\/A> from the 2008 Winter Scripting Games (by the way, in the 2009 Summer Scripting Games, I can pretty much guarantee you will need to be able to do something with regular expressions for one of the events). The Regex .NET Framework class from the System.Text.RegularExpressions namespace is documented on MSDN<\/A>. This is one of the main classes we use in Windows PowerShell when working with regular expressions. You also will find some information about regular expressions in the Microsoft Press book, Windows PowerShell Scripting Guide<\/A>. Here is a very good article about regular expression use in VBScript<\/A>. In this week’s articles, we are using Windows PowerShell for our samples. Please refer to the Windows PowerShell Scripting Hub<\/A> for more information about this exciting new technology.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n

<\/DIV>\"Image \n

 <\/P>\n

As soon as logging is turned on, you can use a script such as SearchFirewallLogForDroppedPackets.ps1<\/B> to search the Windows Firewall log. One thing you will need to do is make sure the path of the Windows Firewall log points to the correct location. The location for Windows 7, Windows Vista, and Windows XP are listed here:<\/P>\n\n\n\n\n\n
\u2022<\/TD>\n\n

Windows 7: “C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log”<\/P><\/TD><\/TR>\n

\u2022<\/TD>\n\n

Windows Vista: “C:\\Windows\\System32\\Logfiles\\Firewall\\Firewall.log”<\/P><\/TD><\/TR>\n

\u2022<\/TD>\n\n

Windows XP: “C:\\Windows\\pfirewall.log”<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n

You can, of course, customize this and move the logs to another location (however, we do not recommend this because of the importance of maintaining proper security settings to protect the log files). After you set the correct path for your particular firewall you run the script. The regular expression pattern is set up to display propped UDP packets. The SearchFirewallLogForDroppedPackets.ps1<\/B> script is shown here:<\/P>\n

SearchFirewallLogForDroppedPackets.ps1<\/B><\/P>

Function New-TempFile\n{\n  [io.path]::GetTempFileName()\n} #end Get-TempFile<\/p>\n
Function Search-Logfile \n{\n Param(\n       $logFIle,\n       $pattern\n      )\n Get-Content -path $logFile |\n Select-String  -pattern $pattern\n} #end Search-LogFile<\/p>\n
Function Show-Output \n{ \n Notepad $TempFile | Out-Null \n Remove-Item -path $TempFile\n} #end Show-Output<\/p>\n
# *** Entry to script ***<\/p>\n
$log = “C:\\Windows\\pfirewall.log”\n$pattern = “DROP\\sUDP\\s\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}”<\/p>\n
Search-LogFile -log $log -pattern $pattern |\nOut-File -filepath (New-TempFile | Tee-Object -variable TempFile) | \nShow-Output\n<\/PRE>\n
You do not have to write your script in the way we have done here. You could write it like a lot of people who write VBScripts do and just have one line of code after another. There are several reasons for writing the script by using functions. For one thing, the code is much easier to read because the function names are self explanatory, and therefore we know the New-TempFile<\/B> creates a temporary file. Also, the three functions are reusable, which means we can easily use them in creating other scripts. In Windows PowerShell 2.0, these functions can go into a module that you import into your current script session, making them immediately available. The names are important because in Windows PowerShell 2.0 the verbs will be checked against an allowed list of verbs, and a message will be displayed if they do not comply with standards.<\/P>\n
The first thing we want to do is to create a function named Get-TempFile<\/B>. This function is used to create a temporary file with a temporary name. The advantage of using a temporary file with a temporary name in a temporary location is that we do not need to worry about making up a file name or worrying about file locations. All computers have a temporary file directory. To create the Get-TempFile<\/B> function, we use the Function<\/B> keyword, as shown here.<\/P>
Function Get-TempFile\n{\n<\/PRE>\n
Inside the function, we have a single command. This command uses the static method Get-TempFileName<\/B> from the system.io.path<\/B> .NET Framework class. A static method is one that is always available to us. We can find static methods in any .NET Framework class by using the Get-Member<\/B> cmdlet as seen here: <\/P>
PS C:\\> [io.path] | Get-Member -membertype method -static<\/p>\n
   TypeName: System.IO.Path<\/p>\n
Name                        MemberType Definition\n—-                        ———- ———-\nChangeExtension             Method     static System.String ChangeExtension(…\nCombine                     Method     static System.String Combine(String p…\nEquals                      Method     static System.Boolean Equals(Object o…\nGetDirectoryName            Method     static System.String GetDirectoryName…\nGetExtension                Method     static System.String GetExtension(Str…\nGetFileName                 Method     static System.String GetFileName(Stri…\nGetFileNameWithoutExtension Method     static System.String GetFileNameWitho…\nGetFullPath                 Method     static System.String GetFullPath(Stri…\nGetInvalidFileNameChars     Method     static System.Char[] GetInvalidFileNa…\nGetInvalidPathChars         Method     static System.Char[] GetInvalidPathCh…\nGetPathRoot                 Method     static System.String GetPathRoot(Stri…\nGetRandomFileName           Method     static System.String GetRandomFileName()\nGetTempFileName             Method     static System.String GetTempFileName()\nGetTempPath                 Method     static System.String GetTempPath()\nHasExtension                Method     static System.Boolean HasExtension(St…\nIsPathRooted                Method     static System.Boolean IsPathRooted(St…\nReferenceEquals             Method     static System.Boolean ReferenceEquals…\n<\/PRE>\n
If you do not want to do so much typing, you can use a shorter command by using the gm<\/B> alias for Get-Member<\/B> and only typing the first letter of each parameter. You can also use a wild card for the membertype<\/B> method. This is seen here:<\/P>
PS C:\\> [io.path] | gm -m m* \u2013s<\/PRE>\n
You can see from the listing of static methods that the path<\/B> .NET Framework class can do quite a bit for us. The cool thing about the GetTempFileName<\/B> method is that in addition to creating a temporary file name in the temporary directory, it also creates the temporary file for us to use. To do the same thing in VBScript would require several lines of code, which is seen here in a script from the Microsoft Press book, Microsoft VBScript Step By Step<\/A>:<\/P>\n
FunTempFile.vbs<\/B><\/P>
‘==========================================================================\n‘\n‘ NAME: FunTempFile.vbs\n‘\n‘ AUTHOR: ed wilson , mred\n‘ DATE  : 4\/6\/2006\n‘\n‘ COMMENT: <FunTempFile function.>\n‘1.Uses two methods from File system object: getSpecialFolder, and getTempName\n‘2.Builds up a path to the temporary folder  and temporary file. You can use\n‘3.this directly as as seen here, or can use the path THEN create as seen In\n‘4.CreateTempFileNameAndOpenInNotepad.vbs MSPRess VBScript Step by Step ch 6 \n‘==========================================================================\nOption Explicit \n‘On Error Resume Next\nDim objFSO ‘the fileSystemObject\nDim objFile ‘File object<\/p>\n
Set objFSO = CreateObject(“Scripting.FileSystemObject”)\nSet objFile = objFSO.createTextFIle(funTempFile(objFSO))<\/p>\n
‘ *** function below *****\nFunction FunTempFile(objFSO)’Creates temp folder, and temp file name\nDim objfolder ‘temporary folder object\nDim  strName’Temporary file name<\/p>\n
Const TemporaryFolder = 2’File system object constant value<\/p>\n
Set objfolder = objfso.GetSpecialFolder(TemporaryFolder)\n   strName = objfso.GetTempName\n   strName = objfolder & “\\” & strName   \n  FunTempFile = strName  \nEnd Function\n<\/PRE>\n
On the other hand, the Windows PowerShell command that creates a temporary file name in the temporary directory, and then creates the file is seen here:<\/P>
  [io.path]::GetTempFileName()\n} #end Get-TempFile\n<\/PRE>\n
After we are done with the Get-TempFile<\/B> function, we create another function named Search-LogFile<\/B>:<\/P>
Function Search-LogFile \n{\n<\/PRE>\n
Inside the function, we define two parameters. Using the Param<\/B> statement inside the code block of the function is a good way to create input parameters because in Windows PowerShell 2.0, there are additional parameter modifiers we can use to do things such as make the parameter mandatory. The two parameters we create are the \u2013logfile<\/B> and the \u2013pattern<\/B> parameters. The \u2013logfile<\/B> parameter is used to hold the path of the Windows Firewall log, and the \u2013pattern<\/B> parameter is used to hold the regular expression pattern we wish to use to parse the log. This is shown  here: <\/P>
 Param(\n       $logFile,\n       $pattern\n      )\n<\/PRE>\n
We now use the Get-Content<\/B> cmdlet to read the content of the log file. In Monday\u2019s \u201cHey, Scripting Guy!\u201d article<\/A> we talked about using the Select-String<\/B> cmdlet to read and parse a text file all in one step. The Windows Firewall log file is always in use, so Select-String<\/B> was not able to open and read the file. However, on my computer, Get-Content<\/B> was able to perform this bit of magic. So we use Get-Content<\/B> to read the content of the file, and stream it across the pipeline to the Select-String<\/B> cmdlet. This is seen here: <\/P>
 Get-Content -path $logFile |\n Select-String -pattern $pattern\n} #end Search-LogFile\n<\/PRE>\n
The Show-Output<\/B> function uses Notepad to open the temporary file and display the results. An example of this is seen here:<\/P>\"Image \n
 <\/P>\n
We use the Function<\/B> keyword to create the Show-Output<\/B>  function:<\/P>
Function Show-Output \n{ \n<\/PRE>\n
The first thing we do is feed the path of the temporary file stored in the $TempFile<\/B> variable to Notepad. We then use a trick to halt execution of the script by pipelining the command to the Out-Null<\/B> cmdlet. When we close Notepad, the script continues and calls the Remote-Item<\/B> cmdlet to delete the temporary file. This is shown here:<\/P>
 Notepad $TempFile | Out-Null \n Remove-Item -path $TempFile\n} #end Show-Output\n<\/PRE>\n
Now we get to the entry point of the script. The first thing we do is assign a path to the $log<\/B> variable that points to the Windows Firewall log file. This is seen here. <\/P>
$log = “C:\\Windows\\pfirewall.log”<\/PRE>\n
The pattern we use specifies the word DROP<\/B> followed by any white space and the word UDP<\/B>, followed by one to three numbers separated by a period and more numbers and periods. This is seen here: <\/P>
$pattern = “DROP\\sUDP\\s\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}”<\/PRE>\n
We first call the Search-LogFile<\/B> function and pass in the path of the Windows Firewall log that we have held in the $log<\/B> variable. We then pass in our dropped packet regular expression pattern that we have stored in the $pattern<\/B> variable. We then pipeline the results from the Search-LogFile<\/B> function to the next command. This is shown here:<\/P>
Search-LogFile -log $log -pattern $pattern |<\/PRE>\n
The next command is pretty cool. The first thing we do is call the Out-File<\/B> cmdlet. The Out-File<\/B> needs the path of the temporary file. But at this point, the temporary file has not been created. It gets created by calling the New-TempFile<\/B> function. It is common in situations such as this to store the pointer to the temporary file in a variable and give that variable to the Out-File<\/B> cmdlet. We do not want to use an intermediate variable, however, so we pipeline the returned fileinfo<\/B> object to the Tee-Object<\/B> cmdlet. The cool thing is that the Tee-Object<\/B> lets us split the output. On the one hand, we are passing my temporary file to the Out-File<\/B> cmdlet. On the other hand, we need to be able to pass the temporary file with its contents to the Show-Output<\/B> function. This is the beauty of the Tee-Output<\/B> cmdlet\u2014it lets us do two things at once. We pipeline the results to the Show-Output<\/B> function:<\/P>
Out-File -filepath (New-TempFile | Tee-Object -variable TempFile) | \nShow-Output\n<\/PRE>\n
Well, DC, that is it for parsing the Windows Firewall log. Obviously, we can use the same technique to parse any of the hundreds of other text log files in Windows. The functions we created today can be employed for other uses in other scripts because they are pretty much self-contained. Take care, and we will see you tomorrow as we continue regular expression week. Until then, peace.<\/P>\n
 <\/P>\n
Ed Wilson and Craig Liebendorfer, Scripting Guys<\/B><\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! I love the Windows Firewall. I think it is really cool. The fact that it is a low-maintenance tool is sweet, but every once in a while, I would like to look over the log files and see what is going on. In particularly, I want to know about what packets are […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[161,174,3,4,63,45],"class_list":["post-53963","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-firewall","tag-regular-expressions","tag-scripting-guy","tag-scripting-techniques","tag-security","tag-windows-powershell"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! I love the Windows Firewall. I think it is really cool. The fact that it is a low-maintenance tool is sweet, but every once in a while, I would like to look over the log files and see what is going on. In particularly, I want to know about what packets are […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/53963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=53963"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/53963\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=53963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=53963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=53963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}