Packet Captures for Linux (tcpdump) and Windows (netsh trace)

Server to Server:
On server IP

tcpdump –I eth0 host

On server IP

tcpdump –I eth0 host


tcpdump -i eth0 src host -w /tmp/[outputfile]


Set a size and rotate the log files:

tcpdump –nni [interface] -C [file-size-in-MB] -W [number-of-files-to-rotate] -v –w [formatted-output-file]

Example for us using 1G of space (you can adjust it) and timestamp the output cap file:

tcpdump -nni eth0 -v -C 1000 -W 10 -w ~/"oncore-prod_`date '+%Y-%m-%d_%H:%M:%S'`.pcap"                    :space after date

If you ever need to do a packet capture on a Windows PC/Server and you don’t have or can’t install Wireshark, you can run this Windows command:

netsh trace start capture=yes overwrite=no maxSize=500 tracefile=c:\MYCAP1.etl
netsh trace stop

Or you can add an IP Address you want to target:
netsh trace start capture=yes IPv4.Address=X.X.X.X overwrite=no maxSize=500 tracefile=c:\MYCAP1.etl

=====Converting the ETL File:

The ETL file can be sent to anyone to convert it to a PCAP file for Wireshark viewing. The default maxSize is 250MB but it can be changed. You can obviously change the capture name and location if you want.

1. Microsoft Message Analyzer

This ETL file is converted using Microsoft Message Analyzer:

1. First open the ETL in MMA
2. Go to File, Save As, All Messages, Export to export it as a CAP

2. Microsoft Github Script ETL2PCAPNG

There’s now a free tool that will convert these ETL files to PCAPNG files.

It works great:

etl2pcapng.exe c:\MYCAP1.etl c:\MCAPCONVERT.pcapng
IF: medium=eth  ID=0    IfIndex=15
Converted 6113 frames

This is a better solution than using MMA.

More Stories
Microsoft IIS Security Best Practices (CIS)