Get-Packet Cmdlet

Parameters   Output Objects   Config Settings  

The Get-Packet component is used to listen to network traffic.

Syntax

Get-Packet [parameters]

Remarks

The get-packet cmdlet will bind to a specific local host address and listen for network traffic received by the interface. The interface must support promiscuous mode (this may not work in many wireless cards because of security considerations). This is not supported on operating systems released prior to Windows 2000.

NOTE: If your computer connects to a switch, the switch will only forward packets addressed to your computer. If your computer is on a hub, then you will receive everything.

The use of this cmdlet requires administrative permissions.

The cmdlet can be used without additional parameters, or you can set LocalIP to the IP address whose traffic you wish to monitor (if it is not the default), and set Time to the number of seconds you wish to monitor traffic. For each packet that crosses the interface, the cmdlet will return a Packet object.

The cmdlets support pipeline input for some of their parameters. Prebuilding an object and piping it to the cmdlet is very useful, but should be used with caution to prevent security conflicts. Steps have been taken to decrease the risk of a possibly accidental pipe to the cmdlet, for instance, the Credential parameter cannot be piped to the cmdlet and must be specified manually.

# listen for one hour get-packet -time 3600 # listen on a specific interface get-packet -localip $ipaddr

Parameter List


The following is the full list of the parameters of the cmdlet with short descriptions. Click on the links for further details.

LogFileThe location of a file to which debug information is written.
ConfigSpecifies one or more configuration settings.
LocalIPThe local interface specified by its IP address.
LogFileThe location of a file to which debug information is written.
ProtocolThe protocol name to use as a filter.
TimeThe duration of the bind.

Output Objects


The following is the full list of the output objects returned by the cmdlet with short descriptions. Click on the links for further details.

PacketThis object contains details about a packet received while the component was sniffing.

Config Settings


The following is a list of config settings for the cmdlet with short descriptions. Click on the links for further details.

ListInterfaceLists the interfaces visible to the WinPCap or NPCap driver.
ReceiveAllModeEnables a socket to receive all IPv4 or IPv6 packets on the network.
SelectedInterfaceUsed to select the interface the WinPCap or NPCap driver will listen on.
UseWinPCapWhether to use the WinPCap or NPCap driver.
AbsoluteTimeoutDetermines whether timeouts are inactivity timeouts or absolute timeouts.
FirewallDataUsed to send extra data to the firewall.
InBufferSizeThe size in bytes of the incoming queue of the socket.
OutBufferSizeThe size in bytes of the outgoing queue of the socket.
BuildInfoInformation about the product's build.
CodePageThe system code page used for Unicode to Multibyte translations.
LicenseInfoInformation about the current license.
MaskSensitiveWhether sensitive data is masked in log messages.
UseInternalSecurityAPITells the component whether or not to use the system security libraries or an internal implementation.

LogFile Parameter (Get-Packet Cmdlet)

The location of a file to which debug information is written.

Syntax

Get-Packet -LogFile string

Remarks

When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.

Default Value

null

Config Property (Get-Packet Cmdlet)

Specifies one or more configuration settings.

Syntax

Get-Packet -Config string[]

Remarks

The Config parameter takes one or more name-value pairs that represent the name of the configuration setting and value, i.e.: -config "Name=Value"

Default Value

null

LocalIP Property (Get-Packet Cmdlet)

The local interface specified by its IP address.

Syntax

Get-Packet -LocalIP string

Remarks

The local IP address for the cmdlet to which to bind and begin sniffing packets. Packets will be sniffed for the duration specified in Time.

Default Value

""

LogFile Property (Get-Packet Cmdlet)

The location of a file to which debug information is written.

Syntax

Get-Packet -LogFile string

Remarks

When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.

Default Value

""

Protocol Property (Get-Packet Cmdlet)

The protocol name to use as a filter.

Syntax

Get-Packet -Protocol string

Remarks

Protocol may be used to filter the sniffed packets for a specific IP protocol. A partial list of protocols is included in the table below. If Protocol is not specified, all network traffic will be monitored.

  • ICMP
  • IGMP
  • IP
  • TCP
  • UDP

Default Value

""

Time Property (Get-Packet Cmdlet)

The duration of the bind.

Syntax

Get-Packet -Time int

Remarks

The duration (in seconds) for which you wish the cmdlet to sniff packets. If set to 0 (default), the cmdlet will sniff packets indefinitely.

Default Value

0

Parameter Position

0

Packet Output Object (Get-Packet Cmdlet)

This object contains details about a packet received while the component was sniffing.

Syntax

Object Packet {
   string Destination;
   string Source;
   string Protocol;
   int DestinationPort;
   int SourcePort;
   string Payload;
}

Remarks

When the cmdlet is active and listening for network traffic, each packet received and sent across the interface in LocalIP will be stored in a Packet object. This object contains information about the packet sniffed.

Config Settings (Get-Packet Cmdlet)

The cmdlet accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the cmdlet, access to these internal properties is provided through the Config method.

IPMonitor Config Settings

ListInterface:   Lists the interfaces visible to the WinPCap or NPCap driver.

This configuration setting returns a numbered list of interfaces visible to the WinPCap or NPCap driver on the system.

ReceiveAllMode:   Enables a socket to receive all IPv4 or IPv6 packets on the network.

The following modes are available:

ValueDescription
0Do not receive all network traffic.
1 (default)Receive all network traffic. This enables the promiscuous mode on the network interface card (NIC). On a LAN segment with a network hub, the NIC that supports promiscuous mode will capture all IPv4 or IPv6 traffic on the LAN, including traffic between other computers on the same LAN segment.
2Receive only socket-level network traffic (this feature may not be implemented by your Windows installation).
3Receive only IP-level network traffic. This option does not enable promiscuous mode on the NIC. This option affects only packet processing at the IP level. The NIC still receives only packets directed to its configured unicast and multicast addresses. A socket with this option enabled, however, will receive not only packets directed to specific IP addresses, but also all of the IPv4 or IPv6 packets that the NIC receives.
ReceiveAllMode captures only IPv4 and IPv6 packets. It will not capture other packets (e.g., ARP, IPX, NetBEUI packets) on the interface.
SelectedInterface:   Used to select the interface the WinPCap or NPCap driver will listen on.

Set this configuration setting to the index of the interface the WinPCap or NPCap driver will listen on. Indices can be returned by querying ListInterface.

UseWinPCap:   Whether to use the WinPCap or NPCap driver.

When set to True, the cmdlet will use the WinPCap or NPCap driver available on the system. The default is False.

Socket Config Settings

AbsoluteTimeout:   Determines whether timeouts are inactivity timeouts or absolute timeouts.

If AbsoluteTimeout is set to True, any method which does not complete within Timeout seconds will be aborted. By default, AbsoluteTimeout is False, and the timeout is an inactivity timeout.

Note: This option is not valid for UDP ports.

FirewallData:   Used to send extra data to the firewall.

When the firewall is a tunneling proxy, use this property to send custom (additional) headers to the firewall (e.g. headers for custom authentication schemes).

InBufferSize:   The size in bytes of the incoming queue of the socket.

This is the size of an internal queue in the TCP/IP stack. You can increase or decrease its size depending on the amount of data that you will be receiving. Increasing the value of the InBufferSize setting can provide significant improvements in performance in some cases.

Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the cmdlet is activated the InBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.

OutBufferSize:   The size in bytes of the outgoing queue of the socket.

This is the size of an internal queue in the TCP/IP stack. You can increase or decrease its size depending on the amount of data that you will be sending. Increasing the value of the OutBufferSize setting can provide significant improvements in performance in some cases.

Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the cmdlet is activated the OutBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.

Base Config Settings

BuildInfo:   Information about the product's build.

When queried, this setting will return a string containing information about the product's build.

CodePage:   The system code page used for Unicode to Multibyte translations.

The default code page is Unicode UTF-8 (65001).

The following is a list of valid code page identifiers:

IdentifierName
037IBM EBCDIC - U.S./Canada
437OEM - United States
500IBM EBCDIC - International
708Arabic - ASMO 708
709Arabic - ASMO 449+, BCON V4
710Arabic - Transparent Arabic
720Arabic - Transparent ASMO
737OEM - Greek (formerly 437G)
775OEM - Baltic
850OEM - Multilingual Latin I
852OEM - Latin II
855OEM - Cyrillic (primarily Russian)
857OEM - Turkish
858OEM - Multilingual Latin I + Euro symbol
860OEM - Portuguese
861OEM - Icelandic
862OEM - Hebrew
863OEM - Canadian-French
864OEM - Arabic
865OEM - Nordic
866OEM - Russian
869OEM - Modern Greek
870IBM EBCDIC - Multilingual/ROECE (Latin-2)
874ANSI/OEM - Thai (same as 28605, ISO 8859-15)
875IBM EBCDIC - Modern Greek
932ANSI/OEM - Japanese, Shift-JIS
936ANSI/OEM - Simplified Chinese (PRC, Singapore)
949ANSI/OEM - Korean (Unified Hangul Code)
950ANSI/OEM - Traditional Chinese (Taiwan; Hong Kong SAR, PRC)
1026IBM EBCDIC - Turkish (Latin-5)
1047IBM EBCDIC - Latin 1/Open System
1140IBM EBCDIC - U.S./Canada (037 + Euro symbol)
1141IBM EBCDIC - Germany (20273 + Euro symbol)
1142IBM EBCDIC - Denmark/Norway (20277 + Euro symbol)
1143IBM EBCDIC - Finland/Sweden (20278 + Euro symbol)
1144IBM EBCDIC - Italy (20280 + Euro symbol)
1145IBM EBCDIC - Latin America/Spain (20284 + Euro symbol)
1146IBM EBCDIC - United Kingdom (20285 + Euro symbol)
1147IBM EBCDIC - France (20297 + Euro symbol)
1148IBM EBCDIC - International (500 + Euro symbol)
1149IBM EBCDIC - Icelandic (20871 + Euro symbol)
1200Unicode UCS-2 Little-Endian (BMP of ISO 10646)
1201Unicode UCS-2 Big-Endian
1250ANSI - Central European
1251ANSI - Cyrillic
1252ANSI - Latin I
1253ANSI - Greek
1254ANSI - Turkish
1255ANSI - Hebrew
1256ANSI - Arabic
1257ANSI - Baltic
1258ANSI/OEM - Vietnamese
1361Korean (Johab)
10000MAC - Roman
10001MAC - Japanese
10002MAC - Traditional Chinese (Big5)
10003MAC - Korean
10004MAC - Arabic
10005MAC - Hebrew
10006MAC - Greek I
10007MAC - Cyrillic
10008MAC - Simplified Chinese (GB 2312)
10010MAC - Romania
10017MAC - Ukraine
10021MAC - Thai
10029MAC - Latin II
10079MAC - Icelandic
10081MAC - Turkish
10082MAC - Croatia
12000Unicode UCS-4 Little-Endian
12001Unicode UCS-4 Big-Endian
20000CNS - Taiwan
20001TCA - Taiwan
20002Eten - Taiwan
20003IBM5550 - Taiwan
20004TeleText - Taiwan
20005Wang - Taiwan
20105IA5 IRV International Alphabet No. 5 (7-bit)
20106IA5 German (7-bit)
20107IA5 Swedish (7-bit)
20108IA5 Norwegian (7-bit)
20127US-ASCII (7-bit)
20261T.61
20269ISO 6937 Non-Spacing Accent
20273IBM EBCDIC - Germany
20277IBM EBCDIC - Denmark/Norway
20278IBM EBCDIC - Finland/Sweden
20280IBM EBCDIC - Italy
20284IBM EBCDIC - Latin America/Spain
20285IBM EBCDIC - United Kingdom
20290IBM EBCDIC - Japanese Katakana Extended
20297IBM EBCDIC - France
20420IBM EBCDIC - Arabic
20423IBM EBCDIC - Greek
20424IBM EBCDIC - Hebrew
20833IBM EBCDIC - Korean Extended
20838IBM EBCDIC - Thai
20866Russian - KOI8-R
20871IBM EBCDIC - Icelandic
20880IBM EBCDIC - Cyrillic (Russian)
20905IBM EBCDIC - Turkish
20924IBM EBCDIC - Latin-1/Open System (1047 + Euro symbol)
20932JIS X 0208-1990 & 0121-1990
20936Simplified Chinese (GB2312)
21025IBM EBCDIC - Cyrillic (Serbian, Bulgarian)
21027Extended Alpha Lowercase
21866Ukrainian (KOI8-U)
28591ISO 8859-1 Latin I
28592ISO 8859-2 Central Europe
28593ISO 8859-3 Latin 3
28594ISO 8859-4 Baltic
28595ISO 8859-5 Cyrillic
28596ISO 8859-6 Arabic
28597ISO 8859-7 Greek
28598ISO 8859-8 Hebrew
28599ISO 8859-9 Latin 5
28605ISO 8859-15 Latin 9
29001Europa 3
38598ISO 8859-8 Hebrew
50220ISO 2022 Japanese with no halfwidth Katakana
50221ISO 2022 Japanese with halfwidth Katakana
50222ISO 2022 Japanese JIS X 0201-1989
50225ISO 2022 Korean
50227ISO 2022 Simplified Chinese
50229ISO 2022 Traditional Chinese
50930Japanese (Katakana) Extended
50931US/Canada and Japanese
50933Korean Extended and Korean
50935Simplified Chinese Extended and Simplified Chinese
50936Simplified Chinese
50937US/Canada and Traditional Chinese
50939Japanese (Latin) Extended and Japanese
51932EUC - Japanese
51936EUC - Simplified Chinese
51949EUC - Korean
51950EUC - Traditional Chinese
52936HZ-GB2312 Simplified Chinese
54936Windows XP: GB18030 Simplified Chinese (4 Byte)
57002ISCII Devanagari
57003ISCII Bengali
57004ISCII Tamil
57005ISCII Telugu
57006ISCII Assamese
57007ISCII Oriya
57008ISCII Kannada
57009ISCII Malayalam
57010ISCII Gujarati
57011ISCII Punjabi
65000Unicode UTF-7
65001Unicode UTF-8
The following is a list of valid code page identifiers for Mac OS only:
IdentifierName
1ASCII
2NEXTSTEP
3JapaneseEUC
4UTF8
5ISOLatin1
6Symbol
7NonLossyASCII
8ShiftJIS
9ISOLatin2
10Unicode
11WindowsCP1251
12WindowsCP1252
13WindowsCP1253
14WindowsCP1254
15WindowsCP1250
21ISO2022JP
30MacOSRoman
10UTF16String
0x90000100UTF16BigEndian
0x94000100UTF16LittleEndian
0x8c000100UTF32String
0x98000100UTF32BigEndian
0x9c000100UTF32LittleEndian
65536Proprietary

LicenseInfo:   Information about the current license.

When queried, this setting will return a string containing information about the license this instance of a cmdlet is using. It will return the following information:

  • Product: The product the license is for.
  • Product Key: The key the license was generated from.
  • License Source: Where the license was found (e.g., RuntimeLicense, License File).
  • License Type: The type of license installed (e.g., Royalty Free, Single Server).
  • Last Valid Build: The last valid build number for which the license will work.
MaskSensitive:   Whether sensitive data is masked in log messages.

In certain circumstances it may be beneficial to mask sensitive data, like passwords, in log messages. Set this to true to mask sensitive data. The default is true.

This setting only works on these cmdlets: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.

UseInternalSecurityAPI:   Tells the cmdlet whether or not to use the system security libraries or an internal implementation.

When set to false, the cmdlet will use the system security libraries by default to perform cryptographic functions where applicable. In this case, calls to unmanaged code will be made. In certain environments this is not desirable. To use a completely managed security implementation set this setting to true.

Setting this setting to true tells the cmdlet to use the internal implementation instead of using the system security libraries.

On Windows, this setting is set to false by default. On Linux/macOS, this setting is set to true by default.

If using the .NET Standard Library, this setting will be true on all platforms. The .NET Standard library does not support using the system security libraries.

Note: This setting is static. The value set is applicable to all cmdlets used in the application.

When this value is set the product's system DLL is no longer required as a reference, as all unmanaged code is stored in that file.