Skip to content

Instantly share code, notes, and snippets.

@daBONDi

daBONDi/ftg-capture.ps1

Last active March 1, 2023 06:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save daBONDi/96da6beae290acbd6f116c54f575d565 to your computer and use it in GitHub Desktop.
Save daBONDi/96da6beae290acbd6f116c54f575d565 to your computer and use it in GitHub Desktop.
Download ZIP
Fortigate Powershell Package Capture Script with Conversion
Raw
ftg-capture.ps1
$putty_executable = "C:\Program Files (x86)\PuTTY\putty.exe"
# Download From: http://kb.fortinet.com/kb/viewContent.do?externalId=11186
$fgt2eth_executable = "c:\tools\fgt2eth.exe"
$CaptureInterface="MyInterface1"
$CaptureFilter="host 172.16.23.100 and not host 172.16.11.138"
$FortigateHost = "xxx.xxx.xxx"
$FortigateUser = "xxx"
$FortigatePassword = "xxx"
$FortigateCommand = "diagnose sniffer packet $CaptureInterface '$CaptureFilter' 3 0 a"
Write-host "Executing over Putty ""$FortigateCommand"""
# ------------------------- Debugging Variables --------------------------------
$KEEP_FORTIGATE_COMMAND_FILE = $true # Keeps the Generate Fortigate Command file for Putty
$REMOVE_PUTTY_LOG_HEADER = $true # Removes the ~~~Putty from Capture
$REMOVE_PUTTY_LOG_AFTER_PROCESSING = $true # Removes Putty Log after Conveting it into fgt2eth
$DISABLE_FGT2ETH_PROCESSING = $false # Disable the Conversion Process from PuttyLog to Etheral
# ---------------------- Constants ---------------------------------------------
$CaptureFolderName = "capture"
$CaptureDirectory = "$PSScriptRoot\$CaptureFolderName"
$CaptureFileNameTemplate = "$($FortigateHost)-$($CaptureInterface)-$(get-date -f MM-dd-yyyy_HH_mm_ss)"
$CaptureFile = "$($CaptureDirectory)\$($CaptureFileNameTemplate).log"
$CapturePcapFile = "$($CaptureDirectory)\$($CaptureFileNameTemplate).pcap"
# Ensure Capture Folder Exists
if(-not (Test-Path -Path $CaptureDirectory)){
New-Item -ItemType Directory -Path $CaptureDirectory | Out-Null
}
# Create Command File for Putty
$PuttySSHCommandFile = "$PSScriptRoot\$([guid]::NewGuid())-$(get-date -f yyMMdd_HHmmss).ftgcmd"
$FortigateCommand | Set-Content -Encoding ASCII -Path $PuttySSHCommandFile -Force
if(-not (Test-Path -Path $PuttySSHCommandFile)) {
Write-Error -Message "Could not find Generated Fortigate Putty Command file under $PuttySSHCommandFile" -ErrorAction Stop
}
# Run Putty as Process and Wait until someone close it
$cmd_args = @(
"-ssh","$($FortigateUser)@$($FortigateHost)",
"-pw","$($FortigatePassword)",
"-sessionlog","$($CaptureFile)",
"-m","$($PuttySSHCommandFile)"
)
$putty_process = Start-Process -Wait -WorkingDirectory $PSScriptRoot -FilePath $putty_executable -ArgumentList $cmd_args
# Remove Command File for Putty after processing
if((Test-Path -Path $PuttySSHCommandFile) -and -not $KEEP_FORTIGATE_COMMAND_FILE)
{
Remove-Item $PuttySSHCommandFile -Confirm:$false
}
if( (Test-Path -Path $CaptureFile))
{
if(-not $DISABLE_FGT2ETH_PROCESSING ){
# Convert the Putty Log into pcap File with f2gteth.exe
$cmd_fgt2eth_args = @(
"-in","$($CaptureFile)",
"-out","$($CapturePcapFile)",
"-system","windows"
)
$fgt2eth_process = Start-Process -Wait -WorkingDirectory $PSScriptRoot -FilePath $fgt2eth_executable -ArgumentList $cmd_fgt2eth_args
}
if($REMOVE_PUTTY_LOG_AFTER_PROCESSING)
{
Remove-Item $CaptureFile -Confirm:$false
}
}else{
Write-Error -Message "Could not find the Captured file under $CaptureFile"
return
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment