=====Linux:
Server to Server:
On server IP 172.20.202.2:
tcpdump –I eth0 host 172.20.204.138
On server IP 172.20.204.138:
tcpdump –I eth0 host 172.20.202.2
or
tcpdump -i eth0 src host 54.172.24.91 -w /tmp/[outputfile]
or
Set a size and rotate the log files:
tcpdump –nni [interface] -C [file-size-in-MB] -W [number-of-files-to-rotate] -v –w [formatted-output-file]
Example for us using 1G of space (you can adjust it) and timestamp the output cap file:
tcpdump -nni eth0 -v -C 1000 -W 10 -w ~/"oncore-prod_`date '+%Y-%m-%d_%H:%M:%S'`.pcap" :space after date
=====Windows:
If you ever need to do a packet capture on a Windows PC/Server and you don’t have or can’t install Wireshark, you can run this Windows command:
netsh trace start capture=yes overwrite=no maxSize=500 tracefile=c:\MYCAP1.etl netsh trace stop
Or you can add an IP Address you want to target:
netsh trace start capture=yes IPv4.Address=X.X.X.X overwrite=no maxSize=500 tracefile=c:\MYCAP1.etl
=====Converting the ETL File:
The ETL file can be sent to anyone to convert it to a PCAP file for Wireshark viewing. The default maxSize is 250MB but it can be changed. You can obviously change the capture name and location if you want.
1. Microsoft Message Analyzer
This ETL file is converted using Microsoft Message Analyzer:
1. First open the ETL in MMA
2. Go to File, Save As, All Messages, Export to export it as a CAP
2. Microsoft Github Script ETL2PCAPNG
There’s now a free tool that will convert these ETL files to PCAPNG files.
https://github.com/microsoft/etl2pcapng/releases
It works great:
etl2pcapng.exe c:\MYCAP1.etl c:\MCAPCONVERT.pcapng IF: medium=eth ID=0 IfIndex=15 Converted 6113 frames
This is a better solution than using MMA.