Invoke-PSDump is essentially a PowerShell wrapper for WinDump.
WinDump, derived from tcpdump (for Linux), is a command-line packet capture and analysis tool. WinDump and tcpdump have been around for a long time and have been commonplace in security analysts' toolkits. However, these tools require a deeper understanding of BPF filters, byte offsets, bit masking, and binary arithmetic to unleash their full power. Invoke-PSDump seeks to unleash the same power with a few added benefits:
- Extraordinarily easy syntax
- Elimination of byte offsets, hexadecimal and bit masking
- Searchable text patterns
- Lightning fast processing
Here's an example scenario. You want to search through a packet capture looking for packets that have the "Don't Fragment" bit set. WinDump can achieve this with:
- \WinDump.exe -r C:\Tools\PSDump\Captures\SkypeIRC.cap -nt (ip) and (ip[6]=64)
The same can be achieved, with additional text searching, with Invoke-WinDump:
- .\Invoke-WinDump -File $skypeIRCPCAP -DF $true -Pattern "freenode.net"
Invoke-PSDump is still considered proof-of-concept code that was originally created during graduate research that was conducted with SANS Technology Institute. My whitepaper can be found here: https://www.sans.org/reading-room/whitepapers/intrusion/leverage-powershell-create-user-friendly-version-windump-36642
I've been asked about the code several times, and wanted to (finally) take advantage of GitHub to share the code.
- Download/clone the project. Navigate to the primary project directory, i.e., C:\Tools\invoke-psdump-master\Invoke-PSDump
- Install WinPcap
- Make sure you download and put a copy of "WinDump.exe" in the "Invoke-PSDump\Tools" directory
- Execute "PSDump.ps1" :)
-
.\Invoke-WinDump -File .\Captures\SkypeIRC.cap -DF $true -Pattern "freenode.net"
-
.\Invoke-WinDump -File .\Captures\teardrop.cap -MF $true
-
.\Invoke-WinDump -File .\Captures\nb6-startup.pcap -TCPFlags "SYN"
-
.\Invoke-WinDump -Files $files -TCPFlags "ACK,PUSH"