Closed kgibm closed 2 years ago
@kgibm, you can run it on a different box.
I think the "TCP.AnyPort" stuff you found is related to filtering for the TCPIP ETW provider rather than packet capture (run "netsh trace show providerfilterhelp Microsoft-Windows-TCPIP" to see some documentation). I don't know a way off the top of my head to filter the ndiscap packet capture at collection time. However, new systems have pktmon, which can do filtering:
pktmon filter add -t tcp -i 192.168.1.1 -p 6100 pktmon filter add -t udp pktmon start -c pktmon stop [captures all UDP traffic AND all TCP traffic to/from 192.168.1.1 to/from port 6100 - see pktmon filter add /? for all parameters]
Note that etl2pcapng only works on ndiscap packet captures (i.e. the ones you collect with netsh.exe). For pktmon captures, you instead use pktmon to convert to pcapng. In an ideal world where everyone upgrades to new versions of Windows with pktmon available, etl2pcapng becomes an obsolete tool!
BTW if you find any functionality gaps in the pktmon pcapng convertor please let me know and perhaps it can be addressed. Thanks!
you can run it on a different box.
Thanks.
new systems have pktmon, which can do filtering
Thanks, I'll check it out! It seems like we need to change our instructions from netsh
to pktmon
primarily, and leave the netsh
instructions for older Windows builds.
BTW if you find any functionality gaps in the pktmon pcapng convertor please let me know and perhaps it can be addressed
Will do.
@kgibm FYI I found the ndiscap packet capture filtering documentation: run "netsh trace show CaptureFilterHelp". It does look very similar to the TCPIP ETW filtering I mentioned, but I don't see "TCP.AnyPort" in the documented filter types. In fact I only see L2 and L3 filters. Hopefully you can use pktmon to moot this shortcoming.
For reference, I've ended up with the following instructions:
pktmon start --capture --pkt-size 0 --file-size 2048 --log-mode circular
a. This command captures up to 2GB of total data. Change file-size in MB as needed. b. This command captures the entire packet. To minimize bytes per packet, set pkt-size to 96 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet. c. If you receive the error, "Packet monitor is already started," then first run "pktmon stop" and then re-run the "start" command.
pktmon stop
pktmon etl2pcap PktMon.etl
PktMon.etl
and PktMon.pcapng
pktmon filter add -t tcp -p %PORT%
pktmon start --capture --pkt-size 0 --file-size 2048 --log-mode circular
a. This command captures up to 2GB of total data. Change file-size in MB as needed. b. This command captures the entire packet. To minimize bytes per packet, set pkt-size to 96 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet. c. If you receive the error, "Packet monitor is already started," then first run "pktmon stop" and then re-run the "start" command.
pktmon stop
pktmon etl2pcap PktMon.etl
PktMon.etl
and PktMon.pcapng
netsh trace start provider=Microsoft-Windows-TCPIP persistent=yes capture=yes packettruncatebytes=1500 tracefile=C:\diag_networktrace.etl maxSize=2048 perf=no
a. This command captures up to 2GB each of total data. Change maxSize in MB as needed. b. This command capture up to 1500 bytes per packet (essentially unlimited). To minimize bytes per packet, set packettruncatebytes to 96 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
netsh trace stop
diag_networktrace.etl
diag_networktrace.etl
and diag_networktrace.pcapng
We're creating a document outlining network packet capture steps, and we'd like to know if
etl2pcapng
should be run on the same box wherenetsh trace start
was run or whether it's okay for us to run it on a different diagnostic box after the fact? (Totally unrelated, but do you happen to know how to filternetsh trace
to some port? Some internet posts suggest aTCP.AnyPort=X
filter but that doesn't seem to work.) Thanks