Last active
April 6, 2020 16:27
-
-
Save d4rkeagle65/07d20a479728a86e44d89f9f23105e1e to your computer and use it in GitHub Desktop.
Sets up a wireshark capture outputting to a file, using tshark and a windows service that can be started/stopped.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $svcName = "WiresharkPCAPTrace" | |
| $outFile = "C:\ProgramData\WiresharkPCAPTrace.pcapng" | |
| if (Get-Service -Name $svcName -ea SilentlyContinue) { | |
| Write-Host "The pcap service has already been added to this system. Proceeding with removal and recreation" | |
| $service = Get-WmiObject -Class Win32_Service -Filter "Name='$svcName'" | |
| $service.Delete() | Out-Null | |
| } | |
| $fspace = Get-WMIObject -Class Win32_LogicalDisk | Where {$_.DeviceID -like "C:"} | Select @{Name="FreeSpaceGB"; Expression={[math]::round($_.FreeSpace/1GB, 2)}} | |
| if ($fspace.FreeSpaceGB -lt "10.00") { | |
| Throw "Not enough free space on the drive to successfully capture. Require at least 10gb of space on the C drive." | |
| } | |
| if(!(Test-Path -Path $env:ChocolateyInstall -ev SilentlyContinue)){ | |
| Write-Host "Chocolatey not installed, installing ... " -NoNewLine | |
| Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) | |
| Write-Host "Done." | |
| } | |
| choco install wireshark nmap rktools.2003 -y | |
| $env:Path += ";C:\Program Files (x86)\Windows Resource Kits\Tools" | |
| $env:Path += ";C:\Program Files\Wireshark" | |
| refreshenv | |
| Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk" -ea SilentlyContinue | |
| $netAdapterGUID = Get-WMIObject -Class Win32_NetworkAdapter | Where {$_.NetEnabled -eq "True"} | Select Name,Index,GUID | Sort -Property Index | Select-Object -Index 0 | Select -ExpandProperty GUID | |
| $tsharkDir = Get-Childitem –Path "C:\Program Files\" -Include tshark.exe -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty DirectoryName | |
| if(!($tsharkDir)) { | |
| $tsharkDir = Get-Childitem –Path "C:\Program Files (x86)\" -Include tshark.exe -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty DirectoryName | |
| if(!($tsharkDir)) { Throw "Cannot find directory for tshark, FATAL FAILURE!" } | |
| } | |
| $tsharkExe = "`"$tsharkDir\tshark.exe`" -i `"\Device\NPF_$netAdapterGUID`" -t ad -p -n -w $outFile" | |
| $devKitPath = "C:\Program Files (x86)\Windows Resource Kits\Tools" | |
| instsrv.exe $svcName "$devKitPath\srvany.exe" | |
| $svcKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$svcName" | |
| $svcKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Services\$svcName" | |
| # Set 9th bit, from http://www.codeproject.com/KB/install/cswindowsservicedesktop.aspx | |
| $newType = $svcKey.GetValue('Type') -bor 0x100 | |
| Set-ItemProperty $svcKey.PSPath -Name Type -Value $newType | |
| New-Item -Path "$svcKeyPath\parameters" -Force | |
| New-ItemProperty -Path "$svcKeyPath\parameters" -Name "application" -Value $tsharkExe |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment