๐ Secure Bits ๐ก
๐๐ฎ๐ฝ๐๐๐ฟ๐ถ๐ป๐ด ๐ป๐ฒ๐๐๐ผ๐ฟ๐ธ ๐๐ฟ๐ฎ๐ณ๐ณ๐ถ๐ฐ ๐ผ๐ป ๐ช๐ถ๐ป๐ฑ๐ผ๐๐ ๐ฆ๐ฒ๐ฟ๐๐ฒ๐ฟ
There is an issue on a Windows Server, and I need to capture network traffic to understand what is happening. The first thought is usually:
โก๏ธ Letโs install ๐ช๐ถ๐ฟ๐ฒ๐๐ต๐ฎ๐ฟ๐ธ
๐ซ But that does not always work.
In many environments I work in โ especially critical infrastructure or other highly secured environments โ ๐๐ผ๐ ๐ฐ๐ฎ๐ป๐ป๐ผ๐ ๐ท๐๐๐ ๐ถ๐ป๐๐๐ฎ๐น๐น whatever tool you want on a server.
And sometimes the target is ๐ช๐ถ๐ป๐ฑ๐ผ๐๐ ๐ฆ๐ฒ๐ฟ๐๐ฒ๐ฟ ๐๐ผ๐ฟ๐ฒ.
Yes, there are command-line alternatives, but downloading tools and getting them into a restricted environment is often not simple at all.
So what I learned to use instead is the ๐ฏ๐๐ถ๐น๐-๐ถ๐ป ๐ป๐ฒ๐๐๐ต ๐๐ฟ๐ฎ๐ฐ๐ฒ.
โ It is straightforward, available out of the box, and that matters a lot in secure environments.
๐ช๐ต๐ฒ๐ป ๐๐ผ๐ ๐ฎ๐ฟ๐ฒ ๐ฟ๐ฒ๐ฎ๐ฑ๐ ๐๐ผ ๐๐๐ฎ๐ฟ๐:
netsh trace start capture=yes report=disabled
๐ช๐ต๐ฒ๐ป ๐๐ผ๐ ๐ฎ๐ฟ๐ฒ ๐ฑ๐ผ๐ป๐ฒ:
netsh trace stop
This gives you an ๐๐ง๐ file.
The goal is usually not to investigate that file directly on the server, but to move it to a place where you can work with it ๐ฐ๐ผ๐บ๐ณ๐ผ๐ฟ๐๐ฎ๐ฏ๐น๐ โ of course according to the security rules of the environment, because you do not want to ๐ฒ๐ ๐ฝ๐ผ๐๐ฒ sensitive traffic.
Before opening it in Wireshark, there is one extra step. Convert it with Microsoftโs ๐ฒ๐๐น๐ฎ๐ฝ๐ฐ๐ฎ๐ฝ๐ป๐ด tool:
etl2pcapng nettrace.etl nettrace.pcapng
โ Then you can open the PCAPNG file in Wireshark.
For some people this may sound like ๐๐ป๐ป๐ฒ๐ฐ๐ฒ๐๐๐ฎ๐ฟ๐ extra work.
But once you deal with Server Core, production systems, and restricted environments, this is actually very handy.
๐ง๐ต๐ถ๐ ๐ฝ๐ผ๐๐ ๐๐ฎ๐ ๐ถ๐ป๐๐ฝ๐ถ๐ฟ๐ฒ๐ฑ ๐ฏ๐ Andreas Bellstedt
Full article: https://www.andibellstedt.com/posts/002_capture-network.traffic/
