search

microsoft / etl2pcapng

Utility that converts an .etl file containing a Windows network packet capture into .pcapng format.
MIT License
607 stars 114 forks source link

Is it importnat that etl2pcapng is run on the same machine where the etl was captured? #42

Closed kgibm closed 2 years ago

kgibm commented 2 years ago

We're creating a document outlining network packet capture steps, and we'd like to know if etl2pcapng should be run on the same box where netsh trace start was run or whether it's okay for us to run it on a different diagnostic box after the fact? (Totally unrelated, but do you happen to know how to filter netsh trace to some port? Some internet posts suggest a TCP.AnyPort=X filter but that doesn't seem to work.) Thanks

maolson-msft commented 2 years ago

@kgibm, you can run it on a different box.

I think the "TCP.AnyPort" stuff you found is related to filtering for the TCPIP ETW provider rather than packet capture (run "netsh trace show providerfilterhelp Microsoft-Windows-TCPIP" to see some documentation). I don't know a way off the top of my head to filter the ndiscap packet capture at collection time. However, new systems have pktmon, which can do filtering:

pktmon filter add -t tcp -i 192.168.1.1 -p 6100 pktmon filter add -t udp pktmon start -c pktmon stop [captures all UDP traffic AND all TCP traffic to/from 192.168.1.1 to/from port 6100 - see pktmon filter add /? for all parameters]

Note that etl2pcapng only works on ndiscap packet captures (i.e. the ones you collect with netsh.exe). For pktmon captures, you instead use pktmon to convert to pcapng. In an ideal world where everyone upgrades to new versions of Windows with pktmon available, etl2pcapng becomes an obsolete tool!

BTW if you find any functionality gaps in the pktmon pcapng convertor please let me know and perhaps it can be addressed. Thanks!

kgibm commented 2 years ago

you can run it on a different box.

Thanks.

new systems have pktmon, which can do filtering

Thanks, I'll check it out! It seems like we need to change our instructions from netsh to pktmon primarily, and leave the netsh instructions for older Windows builds.

BTW if you find any functionality gaps in the pktmon pcapng convertor please let me know and perhaps it can be addressed

Will do.

maolson-msft commented 2 years ago

@kgibm FYI I found the ndiscap packet capture filtering documentation: run "netsh trace show CaptureFilterHelp". It does look very similar to the TCPIP ETW filtering I mentioned, but I don't see "TCP.AnyPort" in the documented filter types. In fact I only see L2 and L3 filters. Hopefully you can use pktmon to moot this shortcoming.

kgibm commented 2 years ago

For reference, I've ended up with the following instructions:

Windows (newer versions)

Capture without port filtering

  1. Right-click Command Prompt } Run as Administrator
  2. Start the capture: 
    pktmon start --capture --pkt-size 0 --file-size 2048 --log-mode circular

    a. This command captures up to 2GB of total data. Change file-size in MB as needed. b. This command captures the entire packet. To minimize bytes per packet, set pkt-size to 96 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet. c. If you receive the error, "Packet monitor is already started," then first run "pktmon stop" and then re-run the "start" command.

  3. Check for any errors running the previous commands in your terminal.
  4. Reproduce the problem.
  5. Stop the capture: 
    pktmon stop
  6. Convert the capture to pcapng format: 
    pktmon etl2pcap PktMon.etl
  7. Upload PktMon.etl and PktMon.pcapng

Capture with port filtering

  1. Right-click Command Prompt } Run as Administrator
  2. Configure the filtered port; replace %PORT% with the target port (for example, 80, 443, and so on): 
    pktmon filter add -t tcp -p %PORT%
  3. Start the capture: 
    pktmon start --capture --pkt-size 0 --file-size 2048 --log-mode circular

    a. This command captures up to 2GB of total data. Change file-size in MB as needed. b. This command captures the entire packet. To minimize bytes per packet, set pkt-size to 96 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet. c. If you receive the error, "Packet monitor is already started," then first run "pktmon stop" and then re-run the "start" command.

  4. Check for any errors running the previous commands in your terminal.
  5. Reproduce the problem.
  6. Stop the capture: 
    pktmon stop
  7. Convert the capture to pcapng format: 
    pktmon etl2pcap PktMon.etl
  8. Upload PktMon.etl and PktMon.pcapng

Windows (older versions)

Capture without port filtering

  1. Right-click Command Prompt } Run as Administrator
  2. Start the capture: 
    netsh trace start provider=Microsoft-Windows-TCPIP persistent=yes capture=yes packettruncatebytes=1500 tracefile=C:\diag_networktrace.etl maxSize=2048 perf=no

    a. This command captures up to 2GB each of total data. Change maxSize in MB as needed. b. This command capture up to 1500 bytes per packet (essentially unlimited). To minimize bytes per packet, set packettruncatebytes to 96 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.

  3. Check for any errors running the previous commands in your terminal.
  4. Reproduce the problem.
  5. Stop the capture: 
    netsh trace stop
  6. Download etl2pcapng and run it on diag_networktrace.etl
  7. Upload diag_networktrace.etl and diag_networktrace.pcapng