ExternalIpAnalyzer.ps1
is a PowerShell script that processes ETL (Event Trace Log) files generated by Windows Delivery Optimization to extract external IP addresses and output them into a CSV file. This tool is particularly useful for network administrators and cybersecurity professionals who need to monitor and analyze external IP connections on Windows systems.
-
Automated ETL Processing: The script automates the conversion of ETL files to XML format, streamlining the analysis of network logs without manual intervention.
-
Efficient Data Extraction: It effectively extracts external IP addresses from structured XML files, ensuring accurate and consistent data output.
-
Comprehensive Reporting: The script generates a summary of all extracted IP addresses, including the count of occurrences, providing valuable insights into network traffic.
-
Customizable Output Options: Users can easily configure output directories and file names, enhancing flexibility for different environments and preferences.
- ETL to XML Conversion: Converts ETL log files to XML format using the
tracerpt.exe
utility, enabling easier data manipulation and extraction. - IP Address Extraction: Extracts external IP addresses from the converted XML files, focusing on the relevant event data.
- CSV Export: Outputs the extracted IP addresses along with their timestamps into a CSV file for further analysis.
- Summary Reporting: Provides a summary of IP addresses found, detailing how many times each address appears in the logs.
To use ExternalIpAnalyzer.ps1
, you will need a Windows operating system with PowerShell. Ensure you have administrative privileges to access the required log files.
- Download the script
ExternalIpAnalyzer.ps1
. - Open PowerShell with administrative privileges.
- Navigate to the location of the script.
- Execute the script with the following command:
.\ExternalIpAnalyzer.ps1 -xmlOutputDir "LogsXML" -csvPath "IP_Addresses.csv"
- Windows operating system with PowerShell.
- Access to the Delivery Optimization ETL log directory:
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs
. tracerpt.exe
must be available, which is typically included with Windows.
Upon execution, the script performs the following actions:
- Creates an XML output directory if it does not exist.
- Converts all relevant ETL files to XML format and stores them in the specified directory.
- Extracts external IP addresses from the XML files and logs their timestamps.
- Exports the collected data into
IP_Addresses.csv
. - Displays a summary of the found IP addresses and their occurrence counts in the console.
- Cleans up by removing temporary XML files after processing.
Users can customize the output directory for XML files and the name of the resulting CSV file by modifying the script parameters:
-xmlOutputDir
: Specify the directory for XML output.-csvPath
: Define the desired path and name for the CSV file.
The script utilizes the following processes:
- ETL File Handling: Accesses ETL files from the specified log directory, ensuring they are processed in an efficient manner.
- XML Data Processing: Employs XML parsing techniques to navigate and extract relevant IP address information from structured log data.
- Summary Calculation: Groups and counts occurrences of each IP address, providing valuable insight into network activity.
This script is provided under the GNU Affero General Public License v3.0. You can find the full license text in the LICENSE file.