0
I'm looking to capture all IP traffic on a Windows machine to/from all interfaces.
- I must be able to capture the process ID which generated the outgoing traffic.
- I need to be able to trigger capture from the command line and automatically parse the capture file in an external tool.
I'm trying to use netsh
, which appears to be able to do the job. However I'm having problems figuring out how to extract the information I need.
Running netsh trace start persistent=yes capture=yes tracefile=xxx
then netsh trace stop
seems to capture the information I need. If I load the generated .etl file into Windows Message Analyzer (WMA) then I can see IP traffic along with a lot of other event information
My specific problems are:
- How do I restrict
netsh
to only capture IP traffic? - How do I parse an etl file without a tool like WMA?
Regarding the second question. I've managed to convert the etl file to an xml file (using tracerpt
or netsh trace convert
. However the data seems to be incomplete. I can't see, for example, an IP address which I know traffic was sent to (confirmed in WMA). Possibly it's all hidden in some binary blob.
Why would you not use WMA for this? It's meant to be used for the. Other tools that you want to use will also have to know about the file format? I don't really get what your goal here would be. As for limiting what
– Seth – 2017-05-26T07:58:45.757netsh
captures: Using Netsh to Manage Traces andnetsh trace show capturefilterHelp
.As mentioned, I need this to be triggered from the command line. The purpose is to build a tool which can run in the background and, amongst other things, gather traffic. Using the UI isn't workable. I'm certainly open to WMA if there's a way of driving it from the command line, but I'm unaware of one. – Andrew Parker – 2017-05-26T08:17:19.597
You said you need to trigger the capture, which is done by
netsh
, using the command line. Asnetsh
is already a command line tool this is pretty easy. Your current approach is meant for debugging. If you try to monitor the server you'd usually go for a mirroring of traffic and send that traffic straight to the analyzer. – Seth – 2017-05-26T08:26:58.580I already understand how to trigger netsh and capture, that much is easy. My problem (aside from reducing capture noise) is I need to also analyse the traffic automatically. Which means processing the file without a UI or human. If WMA supports this then I'm all ears. Imagine I have a test which I need to run regularly on different machines. I want to automate end-to-end the capture and analysis and ask specific questions from the capture about which process sent what traffic. – Andrew Parker – 2017-05-26T09:41:46.527
Assuming you're writing the software yourself why not just include output for that kind of information within the application? The Message Analyzer directory actually does contain a
parse.exe
. It probably won't do what you need though. How do you expect to automate the analysis if you need to supply information for that analysis? My guess is still that you're looking at the wrong kind of tool. Maybe try to include an actual example of what you would the workflow like to be and what kind of actions you're actually trying to perform and what kind of data you're interested in. – Seth – 2017-05-26T10:10:03.100Very happy to consider other options. Not tied to netsh at all. Workflow as follows. I run a tool on many users machines in the background. Must be easy to execute (one command line command). Tool captures all IP traffic to/from machine. For each packet I need - src IP & port, dst IP & port, PID (outbound traffic) and interface. When tool is stopped it produces an archive which is returned to us. We analyse the capture log automatically by imposing expectations on the traffic, e.g. expect process X not to have sent traffic over interface Y; expect process X not to have sent traffic to IP Y. – Andrew Parker – 2017-05-27T01:20:46.960
Note1: On MacOS I can already do this very easily with tcpdump. Apple have modified the stock tcpdump to output PIDs. Sadly this is no available with windump. Note2: I have considered a solution to my problem using firewall rules for testing. However this isn't a good solution as it's invasive and changes the state of the user's machine and also turns the user into a test dummy rather than allowing them to use their machine as normal. – Andrew Parker – 2017-05-27T01:22:58.783