

Packet capturing on Windows with netsh - omnibrain
https://isc.sans.edu/diary/No+Wireshark%3F+No+TCPDump%3F+No+Problem%21/19409

======
c0nsumer
This is missing one of the most useful features of using netsh for this: boot
time captures.

By using the "persistent=yes" argument one can cause the capture to keep
running through a reboot. This is incredibly useful when trying to
troubleshoot something that happens before login. This was very, very
difficult before without a tap, span port, etc.

I wrote a small article about doing this a few years back, for anyone who is
interested: [https://nuxx.net/blog/2010/08/17/network-capture-during-
boot...](https://nuxx.net/blog/2010/08/17/network-capture-during-boot-on-
windows-7-and-server-2008-r/)

Also, if you'd like to get these in a format that can be read using Wireshark,
Microsoft Message Analyzer (mentioned in the original article) can export in
.cap format. Or if you want to stick with Microsoft tools just open the ETL in
Network Monitor and use it for more traditional frame-oriented capture
analysis.

------
spydum
very interesting, had no idea the capability was there. Tried on my own, I see
SSID beacons from my wifi card, wifi channel signal levels, then you can go up
several layers and see request URI's on HTTP requests.. very nice. More
detail, in a parsed format which is filterable than I would have expected..

 _edit_ : indeed, it even handles parsing SSH key exchanges.. very impressive:
[http://imgur.com/ijQX3Zq](http://imgur.com/ijQX3Zq)

~~~
lucb1e
So basically they rebuilt Wireshark? I don't understand why they didn't make
it write pcaps and use existing software to analyze it. Perhaps they could
even contribute to Wireshark's analyzing capabilities of Microsoft protocols.

------
auganov
Where can you hang out to find out about all the cool Windows stuff? I've been
using Windows forever. Oftentimes you feel like certain things are so so much
harder than on a UNIXy system and then BAM it's actually simple but nobody
seems to talk about it. Seems like Windows has a big discoverability problem
with dev/admin tools.

~~~
mixmastamyk
There are many Windows tip-centric websites. Otherwise, just start digging
thru \windows and \windows\system32 and check out the sysinternals and
resource kits etc.

------
pvsnp
I think the key insight here is the availability of Message Analyzer app -- I
haven't used it but that's a good alternative that's supported than the hoops
you sometimes have to join to run Wireshark.

~~~
c0nsumer
Look at it closely. It's neat, but it is different from the frame-oriented
approach of Wireshark / Network Monitor. It's great, but... different.

~~~
pvsnp
Yeah, I'd still prefer Wireshark but this is useful to know about for a
variety of situations where it'd perhaps be worthwhile to see something.. if
only Microsoft just exported to pcap :P

~~~
c0nsumer
Microsoft Message Analyzer can do the translation for you.

------
lucb1e
I wonder why they chose to write their own packet analyzer while so much work
has been put into Wireshark's one. Why not use existing software?

~~~
mobiplayer
Wireshark is brilliant and my favourite tool for my day to day work
(Networking Support), but both Network Monitor and Message Analyzer are
different takes on the same problem.

Both Microsoft offerings can read not just cap/pcap files but ETL that could
include stack tracing, so you might be able to follow a package through the
computer's networking stack.

Also Message Analyzer has more advanced parsers and shows the information in a
different way than Wireshark. I guess that's one of the reasons why I can
happily load a 3GB cap file in Wireshark, but I would avoid doing that in
Message Analyzer :)

------
ohm
Tried running a capture while downloading a large file in Firefox and the
download failed when I started the capture.

Wouldn't recommend running this on a server.

~~~
mobiplayer
Hey, not sure what happened there but I've used this for years on hundreds of
different systems and never had that issue. Not even once as far as I can
remember.

I thoroughly recommend it, but if you don't like it and can install Network
Monitor, you can use NMCap which is also a command line tool.

------
kitd
Does anyone know if this captures loopback traffic? Wireshark wont do that out
of the box, you need a separate utility.

------
bgvopg
Hey it works!, great now I have an alternative to Wireshark.

------
ape4
But if you install Wireshark does it capture traffic on the LAN (ie that
doesn't begin or end with the current PC). I never had any luck with that on
Windows.

~~~
jmsguy
Not unless (a) your PC is routing traffic or (b) your PC is connected to a hub
vs. a switch [1].

Unless one of these things is happening (even if your card is in promiscuous
mode), those packets won't make it into your machine.

[1]
[http://www.webopedia.com/DidYouKnow/Hardware_Software/router...](http://www.webopedia.com/DidYouKnow/Hardware_Software/router_switch_hub.asp)

~~~
whoopdedo
What about wireless traffic?

~~~
dr_zoidberg
Wireless cards can be put in promiscuous mode, and you'll see the packets that
reach your computer, but maybe not all the traffic of the wireless network -
this is known as the hidden node problem[1].

[1]
[http://en.wikipedia.org/wiki/Hidden_node_problem](http://en.wikipedia.org/wiki/Hidden_node_problem)

------
stephengillie
An even cheaper and simpler option is to run Netstat -a >> c:\netstat.txt and
analyze the text file.

~~~
mobiplayer
Comparing a packet capture with the output of netstat is like comparing an
x-ray image of your brain with your latest selfie.

