Doing a packet capture without installing anything on a windows server

Hey guys !!

I hope you are doing great. Down here, things are going well. It's been warm and beautiful and everyone seems to be happy.

Today we are going to talk about how to do a packet capture on a windows server without installing anything.
Have you ever wanted to do a capture to see what's going on into the wire ? This has helped me countless times. I can't tell how important these captures are to help us solving issues.

Not all times, you can install wireshark or any other tool that can do this on the server you want to collect the data from but, did you know windows (2008 R2 and newer) has a builtin command that can do this for us ?
Yeah ! This command is "netsh".

So, let's get started and I will show you how to do this.

Tooling
Although you can capture without installing anything, in order to actually see the data, a tool is required. You can either use Wireshark or Microsoft Message Analyzer. Those are free and you can just google and download them.I feel more comfortable with wireshark. Because of that, there is one more step that is added to the process because "netsh" can only generate an .etl file. Wireshark does not understand this extension and I need to open the .etl file using microsoft message analyzer and export to a .cap file so wireshark can read. I haven't found a way of shorten this path but maybe there is one. If you know one, please let us know on the comments session.

So, what you need is :

1) Be logged on as local administrator on the machine you want to collect the data. Machine must be 2008R2/Win7 or newer;
2) Have microsoft message analyzer installed on another machine somewhere;
3) If you want to use wireshark, you need wireshark installed on a machine somewhere as well.


  1. Log on to the machine you want to collect the data;
  2. Execute a cmd prompt as administrator;
  3. Type this : netsh trace start persistent=yes capture=yes tracefile="C:\temp\myfilenamehere.etl"
  1. This is the simplest syntax and it should fit most of the cases but depending on your specific case, you may need to add additional parameters. In order to view the whole set of parameters , just type netsh trace start /? 

  1. Reproduce the issue so the capture can grab the data and once you are done, go back to the command prompt and type: netsh trace stop
Once you do that, wait until correlation and merge occurs (just keep an eye on the command prompt) and you will end up with a *.etl and a *.cab file.



Next step now is to open the .etl file using microsoft message analyzer. If you want to use wireshark to analyze the data, just export it and it will be exported as a .cap file.







Then you have it folks !!

I hope you have enjoyed this content and thanks for stopping by.


=====================================================

Portugues

E ai pessoal !!

Eu espero que esteja tudo bem com vocês. Aqui, as coisas estão indo bem. Tem feito calor e dias lindos e todo mundo parece feliz.

Hoje vamos falar sobre como fazer uma captura de pacotes em windows sem instalar nada.

Você já quis fazer uma captura para ver o que se passa dentro dos cabos? Isso me ajudou inúmeras vezes. Eu não posso dizer o quão importante essas capturas são para nos ajudar a resolver problemas.

Nem sempre, você pode instalar o wireshark ou qualquer outra ferramenta que possa fazer isso na máquina que você deseja coletar os dados, mas você sabia que o windows (2008 R2/Win 7 e mais recentes) tem um comando interno que pode fazer isso por nós?

Sim ! Este comando é "netsh".

Então, vamos começar e eu vou te mostrar como fazer isso.

Ferramentas

Embora você possa capturar sem instalar nada, para realmente ver os dados, é necessário uma ferramenta. Você pode usar o Wireshark ou o Microsoft Message Analyzer. São gratuitos e você pode apenas achar no google e baixá-los. Eu me sinto mais confortável com wireshark. Por causa disso, há mais uma etapa que é adicionada ao processo porque "netsh" pode gerar apenas um arquivo .etl. O Wireshark não entende essa extensão e eu preciso abrir o arquivo .etl usando o microsoft message analyzer e exportar para um arquivo .cap para que o wireshark possa ler. Eu não encontrei uma maneira de encurtar este caminho, mas talvez haja uma. Se você conhece uma, por favor nos avise na sessão de comentários.

Então, o que você precisa é:

1) Faça o login como administrador local na máquina que você deseja coletar os dados. A máquina deve ser 2008R2 / Win7 ou mais recente;

2) Ter o analisador de mensagens microsoft instalado em outra máquina em algum lugar;

3) Se você quiser usar wireshark, você precisa de wireshark instalado em uma máquina em algum lugar também.

  1. Faça logon na máquina que você deseja coletar os dados;
  2. Execute um prompt de cmd como administrador;
  3. Digite isto: netsh trace start persistente = sim capture = yes tracefile = "C: \ temp \ myfilenamehere.etl"


Esta é a sintaxe mais simples e deve servir para a maioria dos casos, mas dependendo do seu caso específico, você pode precisar adicionar parâmetros adicionais. Para visualizar todo o conjunto de parâmetros, basta digitar netsh trace start /?

Reproduza o problema para que a captura possa pegar os dados e, quando terminar, volte ao prompt de comando e digite: netsh trace stop
Depois de fazer isso, espere até que a correlação e a conversão ocorram (apenas fique de olho no prompt de comando) e você terá um arquivo * .etl e * .cab.

O próximo passo agora é abrir o arquivo .etl usando o Microsoft Message Analyzer. Se você quiser usar o wireshark para analisar os dados, basta exportá-lo e ele será exportado como um arquivo .cap.

Então é isso pessoal !!

Espero que você tenha gostado deste conteúdo e obrigado pela visita.


Comments

Post a Comment

Popular posts from this blog

Certification or Degree ??

Image
Hi guys !! I hope you are doing great and enjoying summer (at least for Northern Hemisphere folks). I know my friends in Brazil are struggling with a super cold winter (10 C/50 F ??). Oh !!! I'd love having a winter "that" cold here in Montreal but, anyways. So, today I'd like to talk about certification or degree. In IT, which one is more important ? People have different thoughts about this topic and I think there is no wrong or right. It depends on your situation. I personally tend to agree that , perhaps, having both is the best as you could benefit from the great things both of them can give to you but, if you can't afford having both, I'd tend to agree that keeping your certifications up to date is probably better than having only a degree. Let me tell you why I believe in this. I have an associate's degree in computer networking that was achieved in 2009. My first certification, I got in 2009. I got started in the certification world wi...
Read more

AWS Systems Manager. No more bastion hosts, nor credentials to run scripts or commands against multiple servers at once ?

Image
Hey guys !!! Hope you are doing pretty good? Today's post is supposed to be a quick one. I am going to start with a real case scenario. I was working for an Enterprise Managed Services provider and because EMS supports multiple customers, you end up with a bunch of environments, credentials, diagrams that make your life a lot harder whenever you need to jump on a server to troubleshoot something. This tough task though, can be easier if you have the ability to leverage AWS Systems Manager in your environment. What systems manager allows you to do is , basically, access a shell of a machine without having to rdp or ssh to it, have an inventory of your fleet, and , one of the coolest features, running commands/scripts against multiple servers at once, again, without even knowing an username or password. My assignment was to identify which servers were still configured to use a DNS server that we were going to decommission. The challenge was, not all servers were part of a...
Read more

Understanding Azure AD Device Management

Image
Hi folks !!! How are you all doing ? It's been a looooonnnggg time since my last post. Yeah !! I know !! A lot going on. But I am back. This time, I would like to talk about a very cool feature in Azure that is called Azure AD Device Management. In today's world, technology has drastically changed the way we work and we need to keep up with the changes. Today, you can easily be working while you are commuting to the office, while you are at home or traveling. All that you need is to have a device, internet connection and , voila, you are connected to your company. Because of this, Microsoft came up with this pretty cool feature. So , basically , in order for you to access your company resources you can use a device that is company issued but, maybe you want to use your own device, I mean, it could be a tablet or a macbook and you can access company resources. No matter which device you use to connect, this brings some concerns because somehow, the device has a certain level of ...
Read more