{"id":72771,"date":"2015-10-13T14:40:00","date_gmt":"2015-10-13T14:40:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/10\/13\/use-powershell-to-parse-network-log\/"},"modified":"2019-02-18T09:34:55","modified_gmt":"2019-02-18T16:34:55","slug":"use-powershell-to-parse-network-log","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-parse-network-log\/","title":{"rendered":"Use PowerShell to Parse Network Log"},"content":{"rendered":"

Summary<\/b>: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to parse a network trace log.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Today I want to talk a little bit about using Windows PowerShell to parse a network trace log. In yesterday’s blog post, Packet Sniffing with PowerShell: Getting Started<\/a>, I talked using Windows PowerShell to do a network trace.<\/p>\n

Yesterday, I created a network trace log. I can use that log, or I can create a new log.<\/p>\n

            Note <\/b> These commands require that Windows PowerShell is elevated.<\/p>\n

When I create a new NetEvent<\/b> session with the New-NetEventSession<\/b> cmdlet, it returns a NetEvent<\/b> session object:<\/p>\n

PS C:\\> New-NetEventSession -Name “Session1”<\/p>\n

Name               : Session1<\/p>\n

CaptureMode        : SaveToFile<\/p>\n

LocalFilePath      : C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\NetEvent<\/p>\n

                     Trace.etl<\/p>\n

MaxFileSize        : 250 MB<\/p>\n

TraceBufferSize    : 0 KB<\/p>\n

MaxNumberOfBuffers : 0<\/p>\n

SessionStatus      : NotRunning<\/p>\n

This object contains the path to the log file. I like to store the results in a variable so that I can easily access the log file without having to do a lot of typing. This is shown here:<\/p>\n

PS C:\\> $session = New-NetEventSession -Name “Session1”<\/p>\n

PS C:\\> $session.LocalFilePath<\/p>\n

C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\NetEventTrace.etl<\/p>\n

After I add my event provider and start the session, I can begin the logging, as shown here:<\/p>\n

PS C:\\> Add-NetEventProvider -Name “Microsoft-Windows-TCPIP” -SessionName “Session1”<\/p>\n

Name            : Microsoft-Windows-TCPIP<\/p>\n

SessionName     : Session1<\/p>\n

Level           : 4<\/p>\n

MatchAnyKeyword : 0xFFFFFFFFFFFFFFFF<\/p>\n

MatchAllKeyword : 0x0<\/p>\n

PS C:\\> Start-NetEventSession -Name “Session1”<\/p>\n

After doing the trace, I stop the session:<\/p>\n

Stop-NetEventSession -Name session1<\/p>\n

Examine the trace log<\/h2>\n

Now I use the Get-WinEvent<\/b> cmdlet to examine the trace log. To do this, I like to read the contents into a variable so I can parse it. This is where storing the path to the log comes in handy. Here is the command:<\/p>\n

$log = Get-WinEvent -Path $session.LocalFilePath –Oldest<\/p>\n

   Note<\/b>  The trace log must be read in reverse order, so the –Oldest<\/b> switch is required. Otherwise, an error occurs.<\/p>\n

I can inspect the first record by indexing into the collection:<\/p>\n

PS C:\\> $log[0]<\/p>\n

   ProviderName: Microsoft-Windows-TCPIP<\/p>\n

TimeCreated                     Id LevelDisplayName Message<\/p>\n

———–                     — —————- ——-<\/p>\n

10\/12\/2015 3:22:06 PM         1300 Information      TCP: connection 0xffffe001cc3…<\/p>\n

But it becomes more interesting to look at event IDs or to try to parse the message block. For example, I can look at the message block by accessing the Message<\/b> <\/i>property:<\/p>\n

PS C:\\> $log[0].Message<\/p>\n

TCP: connection 0xffffe001cc33cd10 (local=192.168.0.7:52259 remote=127.0.0.1:443) exists. State = CloseWaitState. PID = 2640.<\/p>\n

Here, I look at a specific ID:<\/p>\n

PS C:\\> $log.Where({$_.id -eq 1348})<\/p>\n

   ProviderName: Microsoft-Windows-TCPIP<\/p>\n

TimeCreated                     Id LevelDisplayName Message<\/p>\n

———–                     — —————- ——-<\/p>\n

10\/12\/2015 3:23:00 PM         1348 Information      TCP: CTCP DataTransferTimeout…<\/p>\n

10\/12\/2015 3:23:00 PM         1348 Information      TCP: CTCP DataTransferTimeout…<\/p>\n

10\/12\/2015 3:23:00 PM         1348 Information      TCP: CTCP DataTransferTimeout…<\/p>\n

10\/12\/2015 3:23:00 PM         1348 Information      TCP: CTCP DataTransferTimeout…<\/p>\n

10\/12\/2015 3:23:01 PM         1348 Information      TCP: CTCP DataTransferTimeout…<\/p>\n

<output truncated><\/p>\n

How many of those events were there? I can find that out by the count:<\/p>\n

PS C:\\> $log.Where({$_.id -eq 1348}).count<\/p>\n

72<\/p>\n

As shown here, I can sort by ID and do a count:<\/p>\n

PS C:\\> $log | group id -NoElement | sort count -Descending<\/p>\n

Count Name<\/p>\n

—– —-<\/p>\n

 1188 1074<\/p>\n

  649 1332<\/p>\n

  628 1157<\/p>\n

  364 1156<\/p>\n

  359 1158<\/p>\n

  196 1159<\/p>\n

  189 1229<\/p>\n

  189 1331<\/p>\n

  137 1051<\/p>\n

   72 1187<\/p>\n

   72 1351<\/p>\n

   72 1079<\/p>\n

   72 1348<\/p>\n

   68 1193<\/p>\n

   52 1086<\/p>\n

   40 1300<\/p>\n

<output truncated><\/p>\n

Well, is an ID 1074 a good thing or a bad thing? I can easily find out by looking at a sample event, and then examining the message string:<\/p>\n

PS C:\\> $log.Where({$_.id -eq 1074})[0]<\/p>\n

   ProviderName: Microsoft-Windows-TCPIP<\/p>\n

TimeCreated               &nbsp\n;     Id LevelDisplayName Message<\/p>\n

———–                     — —————- ——-<\/p>\n

10\/12\/2015 3:22:08 PM         1074 Information      TCP: connection 0xffffe001d35…<\/p>\n

PS C:\\> $log.Where({$_.id -eq 1074})[0].message<\/p>\n

TCP: connection 0xffffe001d3537c00: Received data with number of bytes = 186. ThSeq<\/p>\n

= 2458887771.<\/p>\n

PS C:\\><\/p>\n

If I am not sure as to what time frame I am working with, I can look at the first and last events in my log:<\/p>\n

PS C:\\> $log | select -Last 1<\/p>\n

   ProviderName: Microsoft-Windows-TCPIP<\/p>\n

TimeCreated                     Id LevelDisplayName Message<\/p>\n

———–                     — —————- ——-<\/p>\n

10\/12\/2015 3:24:15 PM         1193 Information      TCP: endpoint\/connection 0xff…<\/p>\n

PS C:\\> $log | select -First 1<\/p>\n

   ProviderName: Microsoft-Windows-TCPIP<\/p>\n

TimeCreated                     Id LevelDisplayName Message<\/p>\n

———–                     — —————- ——-<\/p>\n

10\/12\/2015 3:22:06 PM         1300 Information      TCP: connection 0xffffe001cc3…<\/p>\n

So, it looks like only a couple minutes. To know for sure, I can create a new timespan that represents the amount of log time:<\/p>\n

PS C:\\> New-TimeSpan -end ($log | select -Last 1).timecreated -start ($log | select -first 1).Timecreated<\/p>\n

Days              : 0<\/p>\n

Hours             : 0<\/p>\n

Minutes           : 2<\/p>\n

Seconds           : 9<\/p>\n

Milliseconds      : 628<\/p>\n

Ticks             : 1296282580<\/p>\n

TotalDays         : 0.00150032706018519<\/p>\n

TotalHours        : 0.0360078494444444<\/p>\n

TotalMinutes      : 2.16047096666667<\/p>\n

TotalSeconds      : 129.628258<\/p>\n

TotalMilliseconds : 129628.258<\/p>\n

That is all there is to using Windows PowerShell to parse a network log. Join me tomorrow when I will talk about more cool stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b> <\/span><\/p><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to parse a network trace log. Microsoft Scripting Guy, Ed Wilson, is here. Today I want to talk a little bit about using Windows PowerShell to parse a network trace log. In yesterday’s blog post, Packet Sniffing with PowerShell: Getting Started, I talked using […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[37,609,3,45],"class_list":["post-72771","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-networking","tag-powershell-5","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to parse a network trace log. Microsoft Scripting Guy, Ed Wilson, is here. Today I want to talk a little bit about using Windows PowerShell to parse a network trace log. In yesterday’s blog post, Packet Sniffing with PowerShell: Getting Started, I talked using […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72771","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=72771"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72771\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=72771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=72771"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=72771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}