Is it possible to doa layer 2 Packet Capture in Powershell - powershell

Is it possible to capture Layer 2 traffic using powershell? I've seen methods that use sockets, but they only seem to capture traffic on Layer 3 and higher. I want to look at Ethernet frames; but I'm not sure if it can be done in powershell. Is it possible to do this without installing any extra software/drivers on a system (maybe using a dll or something)?

If you just need portable without being silent you could use the portable Wireshark to "temporarily install" the needed drivers then use Wireshark's command line switches to script it with powershell.
One other option is if WinPcap is already installed (you could script the install and uninstall in your powershell file) you could use a wrapper library like Pcap.Net which would allow you to communicate directly to the driver via your script without going through Wireshark.

Related

Debugging Azure IoT Edge modules using Visual Studio Code

I can't get local debug of IoT Edge modules working on VS Code, but part of the problem could be that I don't understand what I'm doing in the steps.
I'm following the Microsoft guide here. Can anyone explain to me when I run the command "Azure IoT Edge: Start IoT Edge Hub Simulator for Single Module" in VS Code, why do I need to pass an "input name"? Why doesn the simulator need to know this. I've got multiple input commands on my edge module and the fact I need to pass it is making me question what the simulator actually does. I want to be able to debug multiple inputs.
Also on the same documentation, I can't see how it defines which module I want to run in the simulator. Am I missing something or is the process confusing?
When you Start the IoT Edge Hub Simulator for a Single Module, you spawn two Docker containers. One is the edgeHub and the other is a testing utility. The testing utility acts as a server that you can send HTTP requests to, the requests specify the input name and the data. You can use this to send messages to various inputs on your module. Just looking at that, I understand why it is confusing to supply the input name to the simulator. But when you inspect the edgeHub container, you'll see the following environment values being passed:
"routes__output=FROM /messages/modules/target/outputs/* INTO BrokeredEndpoint(\"/modules/input/inputs/print\")",
"routes__r1=FROM /messages/modules/input/outputs/input2 INTO BrokeredEndpoint(\"/modules/target/inputs/input2\")",
"routes__r2=FROM /messages/modules/input/outputs/foo INTO BrokeredEndpoint(\"/modules/target/inputs/foo\")",
"routes__r3=FROM /messages/modules/input/outputs/input1 INTO BrokeredEndpoint(\"/modules/target/inputs/input1\")"
Just like on a real device, you need routes to talk to your module. The edgeHub container registers these routes with the values you supplied during the starting of the simulator. That input can be a comma-separated list. So if you are using more inputs, feel free to supply them when you start the simulator. Under the covers, that command runs:
iotedgehubdev start -i "input1,input2,foo"
Note: when I was testing this with the latest VS Code Extension, the first time I ran it, the textbox contained: "input1,input2".

Nagios - installing custom plugin on Windows 7 that executes and sends back data to the server

I have setup Nagios 4 core on ubuntu machine and I have installed NSClient++ on windows 7 machine. For the out-of-box monitoring like CPU, memory , etc. everything works.
I also have written an EXE in .Net that gathers some metrics on the windows machine and the hope is that NSClient on the windows machine would execute this EXE and marshal these output back to the server. The problem is that I don't know how to install the plug in. Do you install it on the server? On the client? Both? If so where? Needless to say that ubuntu (where the nagios server is) shouldn't try to execute the .net EXE.
When I look at the configuration files on the server, I see that the nagios server uses Check_NT for communicating with the NSclient. We have a syntax like Check_nt!blah. Will I need to use the same syntax when executing my .Net EXE which is not part of the core?
I hardly found any detailed documentation as how to install a windows plugin and have the server and client talk to each other. So either it is extremely easy or extremely complicated. I also looked at some YouTube videos ...there is nothing there for the problem that I"m facing.
Any help is appreciated. Thanks all!
You'll want to define it as an NRPE check on your monitor, then define the check using the same name # NSClient++ on Windows. The NSClient++ configuration has a section for NRPE handlers, just for this (source: op5 kb):
[NRPE Handlers]
The nrpe handlers provide a way to execute any custom plugin/check command on the monitored Windows server. In this section you configure all the commands that should be available.
Adding a custom NRPE command to NSClient++ follow this syntax:
command[my_custom]=c:\mycustomdir\my_prog.exe
To test the check from your monitoring system you can use NRPE from the CLI to call my_custom:
./check_nrpe -H 10.0.0.1 -c my_custom
And then define the service in your Nagios config like so:
define service{
use generic-service
host_name windowshost
service_description CPU Load
check_command check_nrpe!my_custom
}
You may need to do some extra work to format the output correctly. In BASH, exit 1 and exit 0 are commonly used to indicate state, IE: OK/Critical (source), and you may find it easier to augment your EXE's output with some simple scripting like that.

Perl Module vs External Command

I'm inheriting a file transfer environment with a collection of scripts written in Perl running on Linux. In a nutshell, these scripts just transfer files between sites using SFTP and SMB/CIFS protocols.
I've noticed that the scripts use Net::SFTP::Foreign for the SFTP connection handling.
Are there any advantages to using Perl modules to accomplish connections and transfers as opposed to just calling an external commands like lftp or smbclient?
You usually get better error detection and reporting using a module. I can't think of any good reason to change already working code to use an external command instead.

Connect to JMX using PowerShell

I am not a developer so please keep that in mind when reading the following message:
I need to be able to use Windows PowerShell to connect to a JMX RMI agent on a host, is this even possible ?
The example string from the java client I have been given is as below:
JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://localhost:7979/jmxrmi");
The reason for this is that I am doing other work in my PowerShell script and would like to keep it all in one place.
Thanks !
This is an unusual mix of two technologies, but it is possible.
On the off-chance that you are attempting to connect to a JBoss server, the quickest way may be for you to call twiddle, a command tool that will dispatch JMX requests to the target JBoss server and return the results to standard out.
Another way is to implement the Jolokia agent on the target servers. This will allow you to issue JMX requests using REST. Responses will also be returned in REST format which you can process in PowerShell using one of these solutions.
Thirdly, you can also deploy the JMX-WS service on your target servers which will allow you to communicate with the JMX server using web-services. This document provides some VBScript examples of this.
None of the above actually uses the JMXServiceURL syntax you outlined, and I cannot think of a way you could actually cleanly integrate this RMI based protocol into PowerShell, but hopefully one of the above will work for you.
========== UPDATE ==========
There may be a way to use the RMI implementation. Take a look at IKVM. It is a Java Byte Code to .NET compiler. I have successfully compiled JMX/RMI java code into a .Net assembly and used it from C#. I think PowerShell will do the same thing.

How to improve workflow for creating a Lua-based Wireshark dissector

I've finally created a Dissector for my UDP protocol in Lua for Wireshark, but the work flow is just horrendous. It consists of editing my custom Lua file in my editor, then double-clicking my example capture file to launch Wireshark to see the changes. If there was an error, Wireshark informs me via dialogs or a red line in the Tree analysis sub-pane. I then re-edit my custom Lua file and then close that Wireshark instance, then double-click my example capture file again. It's like compiling a C file and only seeing one compiler error at a time.
Is there a better (faster) way of looking at my changes, without having to restart Wireshark all the time?
At the time, I was using Wireshark 1.2.9 for Windows with Lua enabled.
The best way to automate this is by using command line. Yep, use tshark instead of loading gui thingy.
If your lua script is called "proto.lua" and it defines an protocol called "MyProto" that uses port 8888, you can test your dissector using:
tshark -X lua_script:proto.lua -O MyProto -V -f "port 8888"
-V option makes tshark print all the info of all protocols.
-O option filters the -V option to make it show all the info only on the listed(CSV) protocols.
-f option filters all packets that doesn't conform to the rule. In this case any packet that is not from the right port.
The latest Wireshark release comes with a primitive console for running lua script. It can be found under Tools -> Lua -> Evaluate. From there, you should be able to reload your dissector by running dofile(). You'll also have to remove the previous version of your dissector.
Here's an example for a TCP-based dissector.
local tcp_dissector_table = DissectorTable.get("tcp.port")
tcp_dissector_table:remove(pattern, yourdissector)
yourdissector = nil
dofile("c:/path/to/dissector.lua")
I recommend placing this code in a function inside your file.
Now there's a problem with this answer: If your script created a Proto object, it seems that you can't create it again with the same id. The constructor for the Proto class calls the C function proto_register_protocol() (see epan/wslua/wslua_proto.c). I can't find any lua function that will unregister the protocol. In fact, I can't even find a C function to unregister it.
You might be able to write a trivial wrapper function that Wireshark loads, and have it just load the real file from disk (e.g. via dofile()). This could probably "trick" Wireshark into always reloading your Lua code until you're more comfortable with it and can remove this hack.
I've been facing the same problem for quite a while, so I have decided to create a tool that would help me streamline that "horrendous workflow". The tool in question is Wirebait. It is designed to let you run your Lua dissectors as you write them without Wireshark.
It is very quick and easy to install and use. All you have to do is load the Wirebait module and add a five liner snippet on top of your dissector script. Then if you use an IDE such as ZeroBrane Studio, Wirebait allows you to literally write and debug your code on the fly, no need for wireshark. If you don't even have a pcap file, you can use a hexadecimal string representing the data you want to dissect.