10

I have an apparently simple issue which is proving very difficult to find an answer for.

The site has a highly-secured Windows Server 2019 installation and an appliance connected to it running on a certain TCP port.

I need a sample of the raw data coming out of that port, taken for a few minutes, dumped into a binary file. It needs to be as raw as possible (i.e. it needs to resemble what we would read from the TCP stream when we would connect to that same port from a local .NET application).

It is highly preferable to use only built-in Windows tools for this (i.e. netsh), but worst-case windump or telnet are also fine.

Ruslan
  • 243
  • 1
  • 6

1 Answers1

16

Yes, you can do that with netsh:

Run this command as admin:

netsh trace start capture=yes tracefile=c:\temp\trace.etl

then, stop the capture with netsh trace stop and grab the .etl file.

Download etl2pcapng on your computer, and use it to convert the .etl file in the pcapng format: etl2pcapng.exe in.etl out.pcapng

Finally, open the pcapng file with Wireshark or similar.

Note that if the server runs at least Windows Server 2019 Update 2004, you can use pktmon too.

Swisstone
  • 6,357
  • 7
  • 21
  • 32