cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

I cannot install wireshark on my server. Is there any alternative method I can use?

Jump to solution
I cannot install wireshark on my server.  Is there any alternative method I can use? 
 
Please advise
1 Solution
Level 12

I would think you would like to submit a packetcapture that’s why you need to install wireshark.  You can use NETSH as an alternative

 

Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. Used without parameters, netsh opens the Netsh.exe command prompt and is capable of obtaining the network trace using the trace command.

 

Netsh basically exist on Windows 7, server 2008 and above machines.

 

You can read more about this here

 

pic4.jpg

 

In many scenarios, we wants to capture the IP address, UDP port 2055, 514 etc 162 , the filter help will help us in our daily task.

Multiple filters could be used:

 

netsh trace show capturefilterhelp

 

Most commonly used filters:

  Protocol=<protocol>

         Matches the specified filter against the IP protocol.

        e.g. Protocol=6

        e.g. Protocol=!(TCP,UDP)

        e.g. Protocol=(4-10)

 

IPv4.Address=<IPv4 address>

         Matches the specified filter against both source and destination

         IPv4 addresses.

        e.g. IPv4.Address=157.59.136.1

        e.g. IPv4.Address=!(157.59.136.1)

        e.g. IPv4.Address=(157.59.136.1,157.59.136.11)

 

IPv4.SourceAddress=<IPv4 address>

         Matches the specified filter against source IPv4 addresses.

        e.g. IPv4.SourceAddress=157.59.136.1

        IPv4.DestinationAddress=<IPv4 address>

         Matches the specified filter against destination IPv4 addresses.

        e.g. IPv4.DestinationAddress=157.59.136.1

 

For Example:

Netsh trace start Capture =yes Ethernet.Type=IPv4  Protocol=UDP  //captures all IPv4 UDP traffic.

To stop the trace, issue the command netsh trace stop

pic3.jpg

Location of ETL file by default at C:\Users\{USERaccount}\AppData\Local\Temp\NetTraces

pic2.jpg

Convert to PCAP using PowerShell using ETLPCAPNG

Etlpcapng is a converter utility for ETL to PCAP on github

The executable could be obtained here

After extracting the files, place the file in the same executable as the etl2pcapng folder

Command:  etl2pcapng.exe NetTrace.etl output.pcapng

pic1.jpg

End Result: 276 packets captured and displayed

pic.jpg

Once you have the ETL file and converted it to pcap, send the result over to support or you can inspect it yourself.

https://www.youtube.com/watch?v=DPKQBsL7nYk

 

View solution in original post

5 Replies

For those who may not be able to install ANY packet capture app on their server, there are alternative options, so don't give up hope.

  • Install a packet capture utility (e.g.: Wireshark) on a laptop computer.  Then set up a span or mirror session on the switchport(s) the server connects to, and send copies of all the packets to the port that the laptop computer connects to.  You laptop will see everything the server sends and receives (assuming your server's NIC(s) aren't sending or receiving more data than your laptop's NIC can handle).  And you get the benefit of Wireshark's powerful analysis and flow tracking features.
  • Use an alternate packet capture solution from any of the major manufacturers to accomplish the same thing.  Your company may already have something in place that's operated by your I.T. Security team.
  • Search for alternate tools that will work in your environment.  If you're running some flavor of Unix, tcpdump is your friend.  Other options, depending on your server, include Kismet, Cain and Able, and Network Miner.
Level 12

I would think you would like to submit a packetcapture that’s why you need to install wireshark.  You can use NETSH as an alternative

 

Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. Used without parameters, netsh opens the Netsh.exe command prompt and is capable of obtaining the network trace using the trace command.

 

Netsh basically exist on Windows 7, server 2008 and above machines.

 

You can read more about this here

 

pic4.jpg

 

In many scenarios, we wants to capture the IP address, UDP port 2055, 514 etc 162 , the filter help will help us in our daily task.

Multiple filters could be used:

 

netsh trace show capturefilterhelp

 

Most commonly used filters:

  Protocol=<protocol>

         Matches the specified filter against the IP protocol.

        e.g. Protocol=6

        e.g. Protocol=!(TCP,UDP)

        e.g. Protocol=(4-10)

 

IPv4.Address=<IPv4 address>

         Matches the specified filter against both source and destination

         IPv4 addresses.

        e.g. IPv4.Address=157.59.136.1

        e.g. IPv4.Address=!(157.59.136.1)

        e.g. IPv4.Address=(157.59.136.1,157.59.136.11)

 

IPv4.SourceAddress=<IPv4 address>

         Matches the specified filter against source IPv4 addresses.

        e.g. IPv4.SourceAddress=157.59.136.1

        IPv4.DestinationAddress=<IPv4 address>

         Matches the specified filter against destination IPv4 addresses.

        e.g. IPv4.DestinationAddress=157.59.136.1

 

For Example:

Netsh trace start Capture =yes Ethernet.Type=IPv4  Protocol=UDP  //captures all IPv4 UDP traffic.

To stop the trace, issue the command netsh trace stop

pic3.jpg

Location of ETL file by default at C:\Users\{USERaccount}\AppData\Local\Temp\NetTraces

pic2.jpg

Convert to PCAP using PowerShell using ETLPCAPNG

Etlpcapng is a converter utility for ETL to PCAP on github

The executable could be obtained here

After extracting the files, place the file in the same executable as the etl2pcapng folder

Command:  etl2pcapng.exe NetTrace.etl output.pcapng

pic1.jpg

End Result: 276 packets captured and displayed

pic.jpg

Once you have the ETL file and converted it to pcap, send the result over to support or you can inspect it yourself.

https://www.youtube.com/watch?v=DPKQBsL7nYk

 

View solution in original post

I vote this Best Post Ever.

0 Kudos

Great post! 

Perfect! This works! Thank you @donrobert5 

0 Kudos