{"id":72741,"date":"2015-10-15T00:01:00","date_gmt":"2015-10-15T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/10\/15\/use-powershell-to-parse-network-trace-logs\/"},"modified":"2019-02-18T09:34:54","modified_gmt":"2019-02-18T16:34:54","slug":"use-powershell-to-parse-network-trace-logs","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-parse-network-trace-logs\/","title":{"rendered":"Use PowerShell to Parse Network Trace Logs"},"content":{"rendered":"<p><b style=\"font-size:12px\">Summary<\/b><span style=\"font-size:12px\">: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to analyze packet trace logs.<\/span><\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. Today I want to finish my discussion about analyzing a network trace log that was captured by using the cmdlets from the <b>NetEventPacketCapture<\/b> module.<\/p>\n<p><strong>&nbsp; &nbsp;Note<\/strong>&nbsp;<\/p>\n<ul>\n<li>For more information about setting up and making a packet trace, see <a href=\"https:\/\/devblogs.microsoft.com\/scripting\/packet-sniffing-with-powershell-getting-started\/\" target=\"_blank\">Packet Sniffing with PowerShell: Getting Started<\/a>.<\/li>\n<li>For more information about doing basic analytics, see <a href=\"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-parse-network-log\/\" target=\"_blank\">Use PowerShell to Parse Network Log<\/a>.<\/li>\n<li>To learn about converting text to objects and parsing the log, see <a href=\"https:\/\/devblogs.microsoft.com\/scripting\/packet-sniffing-with-powershell-looking-at-messages\/\" target=\"_blank\">Packet Sniffing with PowerShell: Looking at Messages<\/a>.<\/li>\n<\/ul>\n<p>To start my network trace, I need to use the following four commands:<\/p>\n<p style=\"margin-left:30px\">Remove-NetEventSession<\/p>\n<p style=\"margin-left:30px\">$session = New-NetEventSession -Name &quot;Session1&quot;<\/p>\n<p style=\"margin-left:30px\">Add-NetEventProvider -Name &quot;Microsoft-Windows-TCPIP&quot; -SessionName &quot;Session1&rdquo;<\/p>\n<p style=\"margin-left:30px\">Start-NetEventSession -Name &quot;Session1&quot;<\/p>\n<p>After I have duplicated the problem, I use the <b>Stop-NetEventSession<\/b> cmdlet:<\/p>\n<p style=\"margin-left:30px\">Stop-NetEventSession -Name session1<\/p>\n<p>I need to read the contents of the network trace log into a variable. I will use the variable to explore my problem and to avoid having to load and to reload the log file. This command is shown here:<\/p>\n<p style=\"margin-left:30px\">$log = Get-WinEvent -Path $session.LocalFilePath &ndash;Oldest<\/p>\n<p>Now I want to check the amount of time that is covered by the log:<\/p>\n<p style=\"margin-left:30px\">New-TimeSpan -end ($log | select -Last 1).timecreated -start ($log | select -first 1).Timecreated<\/p>\n<p>It tells me that I have nearly 7 minutes of activity in the log. And by checking the count, it tells me that I have 6,666 events in my log.<\/p>\n<p style=\"margin-left:30px\"><b>Note&nbsp;<\/b> I must launch Windows PowerShell with elevated permissions to create network trace logs.<\/p>\n<p>The commands and their associated output are shown here:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/7002.hsg-10-15-15-01.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/7002.hsg-10-15-15-01.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>These are the same commands that I create on a regular basis. I could easily create a function that I call <b>Get-NetworkTrace<\/b> that would duplicate all of these steps, and perhaps even capture a specific amount of network traffic.<\/p>\n<h2>Filter by ID number<\/h2>\n<p>If there is a problem that I am experiencing, and if I know the associated ID number, one of the easiest things to do is to filter by that specific event ID. I can do this by using the where method that was introduced in Windows PowerShell&nbsp;4.0:<\/p>\n<p style=\"margin-left:30px\">$log.where({$_.id -eq 1100})<\/p>\n<p>If I do not have Windows PowerShell 4.0, I can pipe the output to <b>Where-Object<\/b>, but this will take a lot more time. It is shown here:<\/p>\n<p style=\"margin-left:30px\">$log | where {$_.id -eq 1100}<\/p>\n<p>The following image shows that there were 26 <a href=\"https:\/\/en.wikipedia.org\/wiki\/Silly_window_syndrome\" target=\"_blank\">silly window syndrome<\/a> avoidance events. Silly window syndrome is when the sliding window size shrinks to the point that network communication is restricted. Windows implements specific algorithms to detect and to correct this issue. When that happens, a silly window syndrome avoidance event is triggered.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8228.hsg-10-15-15-02.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/8228.hsg-10-15-15-02.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>There are also a number of retransmissions recorded in the log. I found these by looking for the string <b>retransmit<\/b>:<\/p>\n<p style=\"margin-left:30px\">PS C:\\&gt; $log.message | select-string retransmit | measure<\/p>\n<p style=\"margin-left:30px\">Count&nbsp;&nbsp;&nbsp; : 120<\/p>\n<p style=\"margin-left:30px\">Average&nbsp; :<\/p>\n<p style=\"margin-left:30px\">Sum&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :<\/p>\n<p style=\"margin-left:30px\">Maximum&nbsp; :<\/p>\n<p style=\"margin-left:30px\">Minimum&nbsp; :<\/p>\n<p style=\"margin-left:30px\">Property :<\/p>\n<p>I might want to check for the link speed. I can do this by searching the log for <b>LinkSpeed<\/b>. Here are command and the results:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6661.hsg-10-15-15-03.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6661.hsg-10-15-15-03.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>I can also see what type of TCP template is detected:<\/p>\n<p style=\"margin-left:30px\">$log.message | Select-String templatetype<\/p>\n<p>The output is shown here:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-15-15-04.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-15-15-04.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>That is all there is to using Windows PowerShell to parse packet traces. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><b>Ed Wilson, Microsoft Scripting Guy<\/b><span style=\"font-size:12px\">&nbsp;<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to analyze packet trace logs. Microsoft Scripting Guy, Ed Wilson, is here. Today I want to finish my discussion about analyzing a network trace log that was captured by using the cmdlets from the NetEventPacketCapture module. &nbsp; &nbsp;Note&nbsp; For more information about setting up [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[37,625,3,45],"class_list":["post-72741","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-networking","tag-packet-traces","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to analyze packet trace logs. Microsoft Scripting Guy, Ed Wilson, is here. Today I want to finish my discussion about analyzing a network trace log that was captured by using the cmdlets from the NetEventPacketCapture module. &nbsp; &nbsp;Note&nbsp; For more information about setting up [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=72741"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72741\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=72741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=72741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=72741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}