Skip to content

Instantly share code, notes, and snippets.

@itsecworks

itsecworks/netmon_cpu_mem.ps1

Created July 5, 2023 11:44
Show Gist options
  • Save itsecworks/a8b9d49972dd08a5482fc38ecea7248b to your computer and use it in GitHub Desktop.
Save itsecworks/a8b9d49972dd08a5482fc38ecea7248b to your computer and use it in GitHub Desktop.
Download ZIP
VPN Client Monitoring - Collector Scripts
Raw
netmon_cpu_mem.ps1
##############################################################################################################################################################
# #
# This Script collects measurements from netstat command #
# Syntax for output lines is json that devided by newline #
# Example: #
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", #
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} #
# #
##############################################################################################################################################################
#
# set the timeperiod in seconds between 2 measurements
$timeperiod = 30
# set the timeout if no reply comes
[string]$DefaultTimeout = "5000"
# set log lines to cache before trying to upload
[long]$CacheExportSize = 5
# psping binary folder
$binpath = "$home\Downloads\PSTools"
#create log folder if not exists for the logs
$logpath = "$binpath\log"
if(!(Test-Path -Path $logpath )){
New-Item -ItemType directory -Path $logpath
}
#set the shared folder from where logstash reads the data
$SharedFolder = $logpath + "\serverside"
# Get the current username with domain to synch with globalprotect logs
$CurrentDomain = $env:userdomain
$CurrentUser = $env:username
#date with hours written in the filename
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss")
$ScriptBlock = {
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
# command to execute
$CmdName = "cpu_mem"
$counter = 0
[array]$ExportCache = $null
while($true){
# Get the GlobalProtect allocated IP with ServiceName PanGpd:
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6.
if ([bool]$gp_ipaddrs.IPAddress) {
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0]
}
else {
[string]$GPIPv4Address = "0.0.0.0"
}
# Get the processid for PanGPS
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id
# Get the GlobalProtect Gateway IP from netstat with the processid:
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid)
Foreach ($item in $pangps_conns) {
$item = $item -replace '^\s+', ''
$item = $item -split '\s+'
$Proto = $item[0]
$LocalAddressPort = $item[1]
$ForeignAddressPort = $item[2]
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') {
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0]
}
}
if (![bool]$GPGatewayAddress) {
$GPGatewayAddress = "0.0.0.0"
}
#get date for timestamp
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss")
#run the command with parameters and save the output.
$cpuTime = ((Get-Counter '\Processor(_Total)\% Processor Time').CounterSamples.CookedValue).ToString("#,0.00")
$totalMem = (((Get-CimInstance Win32_PhysicalMemory | Measure-Object -Property capacity -Sum).Sum)/1048576).ToString()
$availMem = ((Get-Counter '\Memory\Available MBytes').CounterSamples.CookedValue).ToString()
$usageMem = (100 * $availMem / $totalMem).ToString("#,0.00")
$jsonBase = @{}
$jsonBase.Add("timestamp",$TimeStamp)
$jsonBase.Add("currentdomain",$CurrentDomain)
$jsonBase.Add("currentuser",$CurrentUser)
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress)
$jsonBase.Add("gpipv4address",$GPIPv4Address)
$jsonBase.Add("subtype",$CmdName)
$jsonBase.Add("cpu",[long]$cpuTime)
$jsonBase.Add("totalmem",[long]$totalMem)
$jsonBase.Add("availmem",[long]$availMem)
$jsonBase.Add("usagemem",[long]$usageMem)
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8
$ExportCache += $jsonBase | ConvertTo-Json -Compress
$counter++
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8
if ($?){ [array]$ExportCache = $null }
}
sleep $timeperiod
}
}
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
while ((Get-Job).State -contains 'Running') {
Start-Sleep 60
}
Raw
netmon_dns.ps1
##############################################################################################################################################################
# #
# This Script collects measurements from nslookup command #
# Syntax for output lines is json that devided by newline #
# Example: #
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", #
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} #
# #
##############################################################################################################################################################
$TestDomain = "www.bing.com"
#
# set the timeperiod in seconds between 2 measurements
$timeperiod = 30
# set the timeout if no reply comes
[string]$DefaultTimeout = "5000"
# set log lines to cache before trying to upload
[long]$CacheExportSize = 5
# psping binary folder
$binpath = "$home\Downloads\PSTools"
#create log folder if not exists for the logs
$logpath = "$binpath\log"
if(!(Test-Path -Path $logpath )){
New-Item -ItemType directory -Path $logpath
}
#set the shared folder from where logstash reads the data
$SharedFolder = $logpath + "\serverside"
# Get the current username with domain to synch with globalprotect logs
$CurrentDomain = $env:userdomain
$CurrentUser = $env:username
#date with hours written in the filename
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss")
$ScriptBlock = {
param($TestDomain, $timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
# command to execute
$CmdName = "dnsrtt"
$counter = 0
[array]$ExportCache = $null
while($true){
# Get the GlobalProtect allocated IP with ServiceName PanGpd:
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6.
if ([bool]$gp_ipaddrs.IPAddress) {
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0]
}
else {
[string]$GPIPv4Address = "0.0.0.0"
}
# Get the processid for PanGPS
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id
# Get the GlobalProtect Gateway IP from netstat with the processid:
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid)
Foreach ($item in $pangps_conns) {
$item = $item -replace '^\s+', ''
$item = $item -split '\s+'
$Proto = $item[0]
$LocalAddressPort = $item[1]
$ForeignAddressPort = $item[2]
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') {
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0]
}
}
if (![bool]$GPGatewayAddress) {
$GPGatewayAddress = "0.0.0.0"
}
#get date for timestamp
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss")
$value = (Measure-Command {Resolve-DnsName $TestDomain -Type A}).Milliseconds | Out-String
$value = $value.Trim()
$jsonBase = @{}
$jsonBase.Add("timestamp",$TimeStamp)
$jsonBase.Add("currentdomain",$CurrentDomain)
$jsonBase.Add("currentuser",$CurrentUser)
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress)
$jsonBase.Add("gpipv4address",$GPIPv4Address)
$jsonBase.Add("subtype",$CmdName)
$jsonBase.Add("dnsrtt",[long]$value)
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8
$ExportCache += $jsonBase | ConvertTo-Json -Compress
$counter++
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8
if ($?){ [array]$ExportCache = $null }
}
sleep $timeperiod
}
}
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($TestDomain, $timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
while ((Get-Job).State -contains 'Running') {
Start-Sleep 60
}
Raw
netmon_ipstats.ps1
##############################################################################################################################################################
# #
# This Script collects measurements from netstat command #
# Syntax for output lines is json that devided by newline #
# Example: #
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", #
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} #
# #
##############################################################################################################################################################
#
# set the timeperiod in seconds between 2 measurements
$timeperiod = 30
# set the timeout if no reply comes
[string]$DefaultTimeout = "5000"
# set log lines to cache before trying to upload
[long]$CacheExportSize = 5
# psping binary folder
$binpath = "$home\Downloads\PSTools"
#create log folder if not exists for the logs
$logpath = "$binpath\log"
if(!(Test-Path -Path $logpath )){
New-Item -ItemType directory -Path $logpath
}
#set the shared folder from where logstash reads the data
$SharedFolder = $logpath + "\serverside"
# Get the current username with domain to synch with globalprotect logs
$CurrentDomain = $env:userdomain
$CurrentUser = $env:username
#date with hours written in the filename
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss")
$ScriptBlock = {
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
# command to execute
$CmdName = "ipstats"
$Cmd = "netsh interface ipv4 show ipstats"
$counter = 0
[array]$ExportCache = $null
function Is-Numeric ($Value) {
return $Value -match "^(\d+|\.\d+|\d+\.\d+)$"
}
while($true){
# Get the GlobalProtect allocated IP with ServiceName PanGpd:
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6.
if ([bool]$gp_ipaddrs.IPAddress) {
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0]
}
else {
[string]$GPIPv4Address = "0.0.0.0"
}
# Get the processid for PanGPS
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id
# Get the GlobalProtect Gateway IP from netstat with the processid:
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid)
Foreach ($item in $pangps_conns) {
$item = $item -replace '^\s+', ''
$item = $item -split '\s+'
$Proto = $item[0]
$LocalAddressPort = $item[1]
$ForeignAddressPort = $item[2]
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') {
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0]
}
}
if (![bool]$GPGatewayAddress) {
$GPGatewayAddress = "0.0.0.0"
}
#get date for timestamp
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss")
#run the command with parameters and save the output.
$Output = Invoke-Expression $Cmd
$p1 = "(?<measurement_name>.*):\s+(?<measurement_value>.*)"
Foreach ($item in $Output) {
$result = [regex]::Matches($item, $p1)
if ([bool]$result[0]) {
$name = ($result[0].Groups['measurement_name'].Value).replace(" ","_")
$value = ($result[0].Groups['measurement_value'].Value).replace(" ","_")
if (Is-Numeric $value) {
$value = [long]$value
$jsonBase = @{}
$jsonBase.Add("timestamp",$TimeStamp)
$jsonBase.Add("currentdomain",$CurrentDomain)
$jsonBase.Add("currentuser",$CurrentUser)
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress)
$jsonBase.Add("gpipv4address",$GPIPv4Address)
$jsonBase.Add("subtype",$CmdName)
$jsonBase.Add($name,$value)
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8
$ExportCache += $jsonBase | ConvertTo-Json -Compress
}
}
}
$counter++
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8
if ($?){ [array]$ExportCache = $null }
}
sleep $timeperiod
}
}
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
while ((Get-Job).State -contains 'Running') {
Start-Sleep 60
}
Raw
netmon_netstat.ps1
##############################################################################################################################################################
# #
# This Script collects measurements from netstat command #
# Syntax for output lines is json that devided by newline #
# Example: #
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", #
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} #
# #
##############################################################################################################################################################
#
# set the timeperiod in seconds between 2 measurements
$timeperiod = 30
# set the timeout if no reply comes
[string]$DefaultTimeout = "5000"
# set log lines to cache before trying to upload
[long]$CacheExportSize = 5
# psping binary folder
$binpath = "$home\Downloads\PSTools"
#create log folder if not exists for the logs
$logpath = "$binpath\log"
if(!(Test-Path -Path $logpath )){
New-Item -ItemType directory -Path $logpath
}
#set the shared folder from where logstash reads the data
$SharedFolder = $logpath + "\serverside"
# Get the current username with domain to synch with globalprotect logs
$CurrentDomain = $env:userdomain
$CurrentUser = $env:username
#date with hours written in the filename
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss")
$ScriptBlock = {
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
# command to execute
$CmdName = "netstats"
$Cmd = "netstat"
$CmdParams = "-e" -split " "
$counter = 0
[array]$ExportCache = $null
while($true){
# Get the GlobalProtect allocated IP with ServiceName PanGpd:
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6.
if ([bool]$gp_ipaddrs.IPAddress) {
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0]
}
else {
[string]$GPIPv4Address = "0.0.0.0"
}
# Get the processid for PanGPS
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id
# Get the GlobalProtect Gateway IP from netstat with the processid:
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid)
Foreach ($item in $pangps_conns) {
$item = $item -replace '^\s+', ''
$item = $item -split '\s+'
$Proto = $item[0]
$LocalAddressPort = $item[1]
$ForeignAddressPort = $item[2]
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') {
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0]
}
}
if (![bool]$GPGatewayAddress) {
$GPGatewayAddress = "0.0.0.0"
}
#get date for timestamp
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss")
#run the command with parameters and save the output.
$Output = & "$Cmd" $CmdParams
$p1 = "(?<measurement_name>.*)\s+(?<measurement_value_recv>\d+)\s+(?<measurement_value_sent>\d+)"
Foreach ($item in $Output) {
$result = [regex]::Matches($item, $p1)
if ([bool]$result[0]) {
$name = ($result[0].Groups['measurement_name'].Value).Trim().replace(" ","_")
$value_recv = ($result[0].Groups['measurement_value_recv'].Value).Trim().replace(" ","_")
$value_sent = ($result[0].Groups['measurement_value_sent'].Value).Trim().replace(" ","_")
$name_recv = $name + "_recv"
$name_sent = $name + "_sent"
$jsonBase = @{}
$jsonBase.Add("timestamp",$TimeStamp)
$jsonBase.Add("currentdomain",$CurrentDomain)
$jsonBase.Add("currentuser",$CurrentUser)
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress)
$jsonBase.Add("gpipv4address",$GPIPv4Address)
$jsonBase.Add("subtype",$CmdName)
$jsonBase.Add($name_recv,[long]$value_recv)
$jsonBase.Add($name_sent,[long]$value_sent)
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8
$ExportCache += $jsonBase | ConvertTo-Json -Compress
}
}
$counter++
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8
if ($?){ [array]$ExportCache = $null }
}
sleep $timeperiod
}
}
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
while ((Get-Job).State -contains 'Running') {
Start-Sleep 60
}
Raw
netmon_psping.ps1
##############################################################################################################################################################
# #
# This Script collects measurements from netstat command #
# Syntax for output lines is json that devided by newline #
# Example: #
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", #
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} #
# #
##############################################################################################################################################################
#
# set the timeperiod in seconds between 2 measurements
$timeperiod = 30
# set the timeout if no reply comes
[string]$DefaultTimeout = "5000"
# set log lines to cache before trying to upload
[long]$CacheExportSize = 5
# psping binary folder
$binpath = "$home\Downloads\PSTools"
#create log folder if not exists for the logs
$logpath = "$binpath\log"
if(!(Test-Path -Path $logpath )){
New-Item -ItemType directory -Path $logpath
}
#set the shared folder from where logstash reads the data
$SharedFolder = $logpath + "\serverside"
# Get the current username with domain to synch with globalprotect logs
$CurrentDomain = $env:userdomain
$CurrentUser = $env:username
#date with hours written in the filename
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss")
# define the host to ping with icmp or to tcp syn if port is set with colon after the IP.
[array]$PingTable = $null
# 1. icmp Ping test to GP Gateway (dynamic object or dummy object)
# This tests the connection out the Prisma Gateway Firewalls to the Internet to the VPN gateway. Dont change it!
$PingTable += [PSCustomObject]@{ Name = "gp_gateway"; PingTarget = "66.66.66.66" }
# 2. icmp Ping test to local Gateway (dynamic object or dummy object)
# This tests the connection to the local gateway. Dont change it!
$PingTable += [PSCustomObject]@{ Name = "df_gateway"; PingTarget = "66.66.66.66" }
# 3. icmp Ping test to Google root DNS
# This tests the connection out the Prisma Gateway Firewalls to the Internet
$PingTable += [PSCustomObject]@{ Name = "google_root_dns"; PingTarget = "8.8.8.8" }
# 4. tcp Ping test to cnn.com tcp 443
# This tests the connection out the Prisma Gateway Firewalls to the Internet
$PingTable += [PSCustomObject]@{ Name = "cnn"; PingTarget = "151.101.195.5:443" }
# 5. tcp Ping test to internal server
# This tests the connection through the Prisma Gateway -> Prisma Sevice Connection
$PingTable += [PSCustomObject]@{ Name = "jira_server"; PingTarget = "10.0.2.227:443" }
# 6. tcp Ping test to Internal server 2
# This tests the connection through the Prisma Gateway -> Prisma Sevice Connection
$PingTable += [PSCustomObject]@{ Name = "confluence_server"; PingTarget = "10.0.16.130:443" }
# 7. icmp Ping test to intranet
# This tests the connection through the Prisma Gateway -> Prisma Sevice Connection
$PingTable += [PSCustomObject]@{ Name = "intranet"; PingTarget = "34.98.108.69" }
Foreach($Ping in $PingTable){
$ScriptBlock_Ping = {
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp, $Ping)
$CmdName = "psping"
$Cmd = "$binpath\psping.exe"
$CmdParams = "-n 1 -w 0 $($Ping.PingTarget) -nobanner" -split " "
$counter = 0
[array]$ExportCache = $null
while($true){
# Get the GlobalProtect allocated IP with ServiceName PanGpd:
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6.
if ([bool]$gp_ipaddrs.IPAddress) {
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0]
}
else {
[string]$GPIPv4Address = "0.0.0.0"
}
# Get the processid for PanGPS
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id
# Get the GlobalProtect Gateway IP from netstat with the processid:
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid)
Foreach ($item in $pangps_conns) {
$item = $item -replace '^\s+', ''
$item = $item -split '\s+'
$Proto = $item[0]
$LocalAddressPort = $item[1]
$ForeignAddressPort = $item[2]
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') {
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0]
}
}
if (![bool]$GPGatewayAddress) {
$GPGatewayAddress = "0.0.0.0"
}
#get date for timestamp
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss")
# fillup the gp_gateway dummy object with real IP of the VPN gateway
if ($Ping.Name -eq "gp_gateway") {
$Ping.PingTarget = $GPGatewayAddress
$CmdParams = "-n 1 -w 0 $($Ping.PingTarget) -nobanner" -split " "
}
# fillup the df_gateway dummy object with real IP of the default gateway
elseif ($Ping.Name -eq "df_gateway") {
$Ping.PingTarget = (Get-NetRoute "0.0.0.0/0").NextHop -ne "0.0.0.0"
$CmdParams = "-n 1 -w 0 $($Ping.PingTarget) -nobanner" -split " "
}
#run the psping command with parameters and save the output.
$Output = & "$Cmd" $CmdParams
# check if PingTarget contains port number and use tcp ping instead of icmp.
if ($CmdParams[4].Contains(':')) {
#named capture group
# pattern with ms value for tcp
$p1 = "Connecting to (?<DestinationIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<DestinationPort>\d+): from (?<SourceIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<SourcePort>\d+): (?<ReplyTime>\d+\.\d+)ms"
# pattern without ms value for tcp
$p2 = "Connecting to (?<DestinationIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<DestinationPort>\d+): from (?<SourceIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<SourcePort>\d+):"
$result = [regex]::Matches($Output, $p1)
if ([bool]$result[0]) {
$rtt = $result[0].Groups['ReplyTime'].Value
}
else {
$result = [regex]::Matches($Output, $p2)
$rtt = $DefaultTimeout
}
$DstIP = $result[0].Groups['DestinationIP'].Value
$DstPort = $result[0].Groups['DestinationPort'].Value
$SrcIP = $result[0].Groups['SourceIP'].Value
}
# If PingTarget does not contain port number use icmp.
else {
if ($Output[4].Contains('100% loss')) {
# pattern without ms value for icmp if all packets lost
$p1 = "Ping statistics for (?<DestinationIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):"
$result = [regex]::Matches($Output, $p1)
$DstIP = $result[0].Groups['DestinationIP'].Value
$rtt = $DefaultTimeout
}
else {
# pattern with ms value for icmp
$p1 = "Reply from (?<DestinationIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): (?<ReplyTime>\d+\.\d+)ms"
$result = [regex]::Matches($Output, $p1)
$DstIP = $result[0].Groups['DestinationIP'].Value
$rtt = $result[0].Groups['ReplyTime'].Value
}
}
$jsonBase = @{}
$jsonBase.Add("timestamp",$TimeStamp)
$jsonBase.Add("currentdomain",$CurrentDomain)
$jsonBase.Add("currentuser",$CurrentUser)
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress)
$jsonBase.Add("gpipv4address",$GPIPv4Address)
$jsonBase.Add("subtype",$CmdName)
$jsonBase.Add("dstip",$DstIP)
$jsonBase.Add("dstname",$Ping.Name)
$jsonBase.Add("rtt",[long]$rtt)
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8
$ExportCache += $jsonBase | ConvertTo-Json -Compress
$counter++
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8
if ($?){ [array]$ExportCache = $null }
}
sleep $timeperiod
}
}
$JobName = $CmdName + "_" + $Ping.Name
Start-Job -Name $JobName -scriptblock $ScriptBlock_Ping -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp, $Ping)
}
while ((Get-Job).State -contains 'Running') {
Start-Sleep 60
}
Raw
netmon_tcpstats.ps1
##############################################################################################################################################################
# #
# This Script collects measurements from netstat command #
# Syntax for output lines is json that devided by newline #
# Example: #
# {"name":"Retransmitted_Segments","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1373", #
# "timestamp":"2023-06-09 02:19:46","subtype":"tcpstats","gpipv4address":"10.47.140.216"} #
# #
##############################################################################################################################################################
#
# set the timeperiod in seconds between 2 measurements
$timeperiod = 30
# set the timeout if no reply comes
[string]$DefaultTimeout = "5000"
# set log lines to cache before trying to upload
[long]$CacheExportSize = 5
# psping binary folder
$binpath = "$home\Downloads\PSTools"
#create log folder if not exists for the logs
$logpath = "$binpath\log"
if(!(Test-Path -Path $logpath )){
New-Item -ItemType directory -Path $logpath
}
#set the shared folder from where logstash reads the data
$SharedFolder = $logpath + "\serverside"
# Get the current username with domain to synch with globalprotect logs
$CurrentDomain = $env:userdomain
$CurrentUser = $env:username
#date with hours written in the filename
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss")
$ScriptBlock = {
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
# command to execute
$CmdName = "tcpstats"
$Cmd = "netsh interface ipv4 show tcpstats"
$counter = 0
[array]$ExportCache = $null
function Is-Numeric ($Value) {
return $Value -match "^(\d+|\.\d+|\d+\.\d+)$"
}
while($true){
# Get the GlobalProtect allocated IP with ServiceName PanGpd:
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6.
if ([bool]$gp_ipaddrs.IPAddress) {
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0]
}
else {
[string]$GPIPv4Address = "0.0.0.0"
}
# Get the processid for PanGPS
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id
# Get the GlobalProtect Gateway IP from netstat with the processid:
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid)
Foreach ($item in $pangps_conns) {
$item = $item -replace '^\s+', ''
$item = $item -split '\s+'
$Proto = $item[0]
$LocalAddressPort = $item[1]
$ForeignAddressPort = $item[2]
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') {
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0]
}
}
if (![bool]$GPGatewayAddress) {
$GPGatewayAddress = "0.0.0.0"
}
#get date for timestamp
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss")
#run the command with parameters and save the output.
$Output = Invoke-Expression $Cmd
$jsonBase = @{}
$jsonBase.Add("timestamp",$TimeStamp)
$jsonBase.Add("currentdomain",$CurrentDomain)
$jsonBase.Add("currentuser",$CurrentUser)
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress)
$jsonBase.Add("gpipv4address",$GPIPv4Address)
$jsonBase.Add("subtype",$CmdName)
$p1 = "(?<measurement_name>.*):\s+(?<measurement_value>.*)"
Foreach ($item in $Output) {
$result = [regex]::Matches($item, $p1)
if ([bool]$result[0]) {
$name = ($result[0].Groups['measurement_name'].Value).replace(" ","_")
$value = ($result[0].Groups['measurement_value'].Value).replace(" ","_")
if (Is-Numeric $value) {
$value = [long]$value
$jsonBase.Add($name,$value)
}
}
}
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8
$ExportCache += $jsonBase | ConvertTo-Json -Compress
$counter++
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8
if ($?){ [array]$ExportCache = $null }
}
sleep $timeperiod
}
}
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
while ((Get-Job).State -contains 'Running') {
Start-Sleep 60
}
Raw
netmon_wifi.ps1
##############################################################################################################################################################
# #
# This Script collects measurements from netsh command #
# Syntax for output lines is json that devided by newline #
# Example: #
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", #
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} #
# #
##############################################################################################################################################################
#
# set the timeperiod in seconds between 2 measurements
$timeperiod = 30
# set the timeout if no reply comes
[string]$DefaultTimeout = "5000"
# set log lines to cache before trying to upload
[long]$CacheExportSize = 5
# psping binary folder
$binpath = "$home\Downloads\PSTools"
#create log folder if not exists for the logs
$logpath = "$binpath\log"
if(!(Test-Path -Path $logpath )){
New-Item -ItemType directory -Path $logpath
}
#set the shared folder from where logstash reads the data
$SharedFolder = $logpath + "\serverside"
# Get the current username with domain to synch with globalprotect logs
$CurrentDomain = $env:userdomain
$CurrentUser = $env:username
#date with hours written in the filename
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss")
$ScriptBlock = {
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
# command to execute
$CmdName = "wifisig"
$counter = 0
[array]$ExportCache = $null
while($true){
# Get the GlobalProtect allocated IP with ServiceName PanGpd:
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6.
if ([bool]$gp_ipaddrs.IPAddress) {
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0]
}
else {
[string]$GPIPv4Address = "0.0.0.0"
}
# Get the processid for PanGPS
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id
# Get the GlobalProtect Gateway IP from netstat with the processid:
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid)
Foreach ($item in $pangps_conns) {
$item = $item -replace '^\s+', ''
$item = $item -split '\s+'
$Proto = $item[0]
$LocalAddressPort = $item[1]
$ForeignAddressPort = $item[2]
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') {
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0]
}
}
if (![bool]$GPGatewayAddress) {
$GPGatewayAddress = "0.0.0.0"
}
#get date for timestamp
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss")
$value = (netsh wlan show interfaces) -Match '^\s+Signal' -Replace '^\s+Signal\s+:\s+','' -Replace '%','' | Out-String
$value = $value.Trim()
$jsonBase = @{}
$jsonBase.Add("timestamp",$TimeStamp)
$jsonBase.Add("currentdomain",$CurrentDomain)
$jsonBase.Add("currentuser",$CurrentUser)
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress)
$jsonBase.Add("gpipv4address",$GPIPv4Address)
$jsonBase.Add("subtype",$CmdName)
$jsonBase.Add("sig_level",[long]$value)
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8
$ExportCache += $jsonBase | ConvertTo-Json -Compress
$counter++
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8
if ($?){ [array]$ExportCache = $null }
}
sleep $timeperiod
}
}
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp)
while ((Get-Job).State -contains 'Running') {
Start-Sleep 60
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment