Last active
March 1, 2023 06:27
-
-
Save daBONDi/96da6beae290acbd6f116c54f575d565 to your computer and use it in GitHub Desktop.
Fortigate Powershell Package Capture Script with Conversion
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$putty_executable = "C:\Program Files (x86)\PuTTY\putty.exe" | |
# Download From: http://kb.fortinet.com/kb/viewContent.do?externalId=11186 | |
$fgt2eth_executable = "c:\tools\fgt2eth.exe" | |
$CaptureInterface="MyInterface1" | |
$CaptureFilter="host 172.16.23.100 and not host 172.16.11.138" | |
$FortigateHost = "xxx.xxx.xxx" | |
$FortigateUser = "xxx" | |
$FortigatePassword = "xxx" | |
$FortigateCommand = "diagnose sniffer packet $CaptureInterface '$CaptureFilter' 3 0 a" | |
Write-host "Executing over Putty ""$FortigateCommand""" | |
# ------------------------- Debugging Variables -------------------------------- | |
$KEEP_FORTIGATE_COMMAND_FILE = $true # Keeps the Generate Fortigate Command file for Putty | |
$REMOVE_PUTTY_LOG_HEADER = $true # Removes the ~~~Putty from Capture | |
$REMOVE_PUTTY_LOG_AFTER_PROCESSING = $true # Removes Putty Log after Conveting it into fgt2eth | |
$DISABLE_FGT2ETH_PROCESSING = $false # Disable the Conversion Process from PuttyLog to Etheral | |
# ---------------------- Constants --------------------------------------------- | |
$CaptureFolderName = "capture" | |
$CaptureDirectory = "$PSScriptRoot\$CaptureFolderName" | |
$CaptureFileNameTemplate = "$($FortigateHost)-$($CaptureInterface)-$(get-date -f MM-dd-yyyy_HH_mm_ss)" | |
$CaptureFile = "$($CaptureDirectory)\$($CaptureFileNameTemplate).log" | |
$CapturePcapFile = "$($CaptureDirectory)\$($CaptureFileNameTemplate).pcap" | |
# Ensure Capture Folder Exists | |
if(-not (Test-Path -Path $CaptureDirectory)){ | |
New-Item -ItemType Directory -Path $CaptureDirectory | Out-Null | |
} | |
# Create Command File for Putty | |
$PuttySSHCommandFile = "$PSScriptRoot\$([guid]::NewGuid())-$(get-date -f yyMMdd_HHmmss).ftgcmd" | |
$FortigateCommand | Set-Content -Encoding ASCII -Path $PuttySSHCommandFile -Force | |
if(-not (Test-Path -Path $PuttySSHCommandFile)) { | |
Write-Error -Message "Could not find Generated Fortigate Putty Command file under $PuttySSHCommandFile" -ErrorAction Stop | |
} | |
# Run Putty as Process and Wait until someone close it | |
$cmd_args = @( | |
"-ssh","$($FortigateUser)@$($FortigateHost)", | |
"-pw","$($FortigatePassword)", | |
"-sessionlog","$($CaptureFile)", | |
"-m","$($PuttySSHCommandFile)" | |
) | |
$putty_process = Start-Process -Wait -WorkingDirectory $PSScriptRoot -FilePath $putty_executable -ArgumentList $cmd_args | |
# Remove Command File for Putty after processing | |
if((Test-Path -Path $PuttySSHCommandFile) -and -not $KEEP_FORTIGATE_COMMAND_FILE) | |
{ | |
Remove-Item $PuttySSHCommandFile -Confirm:$false | |
} | |
if( (Test-Path -Path $CaptureFile)) | |
{ | |
if(-not $DISABLE_FGT2ETH_PROCESSING ){ | |
# Convert the Putty Log into pcap File with f2gteth.exe | |
$cmd_fgt2eth_args = @( | |
"-in","$($CaptureFile)", | |
"-out","$($CapturePcapFile)", | |
"-system","windows" | |
) | |
$fgt2eth_process = Start-Process -Wait -WorkingDirectory $PSScriptRoot -FilePath $fgt2eth_executable -ArgumentList $cmd_fgt2eth_args | |
} | |
if($REMOVE_PUTTY_LOG_AFTER_PROCESSING) | |
{ | |
Remove-Item $CaptureFile -Confirm:$false | |
} | |
}else{ | |
Write-Error -Message "Could not find the Captured file under $CaptureFile" | |
return | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment