We're creating a document outlining network packet capture steps, and we'd like to kno

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Is it importnat that etl2pcapng is run on the same machine where the etl was captured? about etl2pcapng HOT 4 CLOSED

microsoft commented on May 23, 2024

Is it importnat that etl2pcapng is run on the same machine where the etl was captured?

from etl2pcapng.

Comments (4)

maolson-msft commented on May 23, 2024 1

@kgibm FYI I found the ndiscap packet capture filtering documentation: run "netsh trace show CaptureFilterHelp". It does look very similar to the TCPIP ETW filtering I mentioned, but I don't see "TCP.AnyPort" in the documented filter types. In fact I only see L2 and L3 filters. Hopefully you can use pktmon to moot this shortcoming.

from etl2pcapng.

maolson-msft commented on May 23, 2024

@kgibm, you can run it on a different box.

I think the "TCP.AnyPort" stuff you found is related to filtering for the TCPIP ETW provider rather than packet capture (run "netsh trace show providerfilterhelp Microsoft-Windows-TCPIP" to see some documentation). I don't know a way off the top of my head to filter the ndiscap packet capture at collection time. However, new systems have pktmon, which can do filtering:

pktmon filter add -t tcp -i 192.168.1.1 -p 6100
pktmon filter add -t udp
pktmon start -c
pktmon stop
[captures all UDP traffic AND all TCP traffic to/from 192.168.1.1 to/from port 6100 - see pktmon filter add /? for all parameters]

Note that etl2pcapng only works on ndiscap packet captures (i.e. the ones you collect with netsh.exe). For pktmon captures, you instead use pktmon to convert to pcapng. In an ideal world where everyone upgrades to new versions of Windows with pktmon available, etl2pcapng becomes an obsolete tool!

BTW if you find any functionality gaps in the pktmon pcapng convertor please let me know and perhaps it can be addressed. Thanks!

from etl2pcapng.

kgibm commented on May 23, 2024

you can run it on a different box.

Thanks.

new systems have pktmon, which can do filtering

Thanks, I'll check it out! It seems like we need to change our instructions from netsh to pktmon primarily, and leave the netsh instructions for older Windows builds.

BTW if you find any functionality gaps in the pktmon pcapng convertor please let me know and perhaps it can be addressed

Will do.

from etl2pcapng.

kgibm commented on May 23, 2024

For reference, I've ended up with the following instructions:

Windows (newer versions)

Capture without port filtering

Right-click Command Prompt } Run as Administrator
Start the capture:
```
pktmon start --capture --pkt-size 0 --file-size 2048 --log-mode circular
```
a. This command captures up to 2GB of total data. Change file-size in MB as needed.
b. This command captures the entire packet. To minimize bytes per packet, set pkt-size to 96 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
c. If you receive the error, "Packet monitor is already started," then first run "pktmon stop" and then re-run the "start" command.
Check for any errors running the previous commands in your terminal.
Reproduce the problem.
Stop the capture:
```
pktmon stop
```
Convert the capture to pcapng format:
```
pktmon etl2pcap PktMon.etl
```
Upload PktMon.etl and PktMon.pcapng

Capture with port filtering

Right-click Command Prompt } Run as Administrator
Configure the filtered port; replace %PORT% with the target port (for example, 80, 443, and so on):
```
pktmon filter add -t tcp -p %PORT%
```
Start the capture:
```
pktmon start --capture --pkt-size 0 --file-size 2048 --log-mode circular
```
a. This command captures up to 2GB of total data. Change file-size in MB as needed.
b. This command captures the entire packet. To minimize bytes per packet, set pkt-size to 96 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
c. If you receive the error, "Packet monitor is already started," then first run "pktmon stop" and then re-run the "start" command.
Check for any errors running the previous commands in your terminal.
Reproduce the problem.
Stop the capture:
```
pktmon stop
```
Convert the capture to pcapng format:
```
pktmon etl2pcap PktMon.etl
```
Upload PktMon.etl and PktMon.pcapng

Windows (older versions)

Capture without port filtering

Right-click Command Prompt } Run as Administrator
Start the capture:
```
netsh trace start provider=Microsoft-Windows-TCPIP persistent=yes capture=yes packettruncatebytes=1500 tracefile=C:\diag_networktrace.etl maxSize=2048 perf=no
```
a. This command captures up to 2GB each of total data. Change maxSize in MB as needed.
b. This command capture up to 1500 bytes per packet (essentially unlimited). To minimize bytes per packet, set packettruncatebytes to 96 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
Check for any errors running the previous commands in your terminal.
Reproduce the problem.
Stop the capture:
```
netsh trace stop
```
Download etl2pcapng and run it on diag_networktrace.etl
Upload diag_networktrace.etl and diag_networktrace.pcapng

from etl2pcapng.

Is it importnat that etl2pcapng is run on the same machine where the etl was captured? about etl2pcapng HOT 4 CLOSED

Comments (4)

Windows (newer versions)

Capture without port filtering

Capture with port filtering

Windows (older versions)

Capture without port filtering

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent