Many times, while working as a Systems
Administrator providing support for the Windows or Linux Infrastructure, you come
across some issues where you may suspect that those issues might be causing on
some server(s) due to network related issues. It might be a DNS related issues
where DNS queries do not resolve some times for some unknown reason or it could
be a case where remote user who establishes a VPN connection and assume that
his/her domain user password is about to expire soon and he or she needs to
reset the password over VPN connection, but password cannot be reset because the
TCP port 464 is blocked. These are just some examples of the incidents when you
would think to capture network traffic on some servers to find the root cause.
Below, you will find the step-by-step
instructions showing you how you can use the Wireshark to capture the network
traffic for a remote server. You can capture the network traffic from within
the server too on which you have issues, but some times, the server whose network
traffic you want to capture is a critical production server and you want to
capture the network traffic in a way that it does not utilize the resources of
the problem server and in such case, you may want to capture the network
traffic remotely.
The command line utility called dumpcap.exe
in “C:\Program Files\Wireshark” folder can be used to setup a network capturing
for a remote computer.
Note: You need to have Wireshark
installed on both computers: a computer on which you will be running this
command line utility to capture the network traffic for a remote computer and
on a remote computer whose network traffic you are capturing. Technically, we need to have a
Remote Packet Capture Daemon installed on a remote target computer, which can
be done by just installing WinPcap on that target system.
Steps:
- Assuming that
you already have installed Wireshark on a remote computer, please log into
a target remote computer, and launch the Services console (services.msc).
There would be a service called “Remote Packet Capture Protocol v.0
(experimental)”. Please double click on it. Please make sure that the
“Path to executable” is set to “C:\Program Files\WinPcap\rpcapd.exe –d –n”
as shown in the below screen shot. If not, open Registry Editor and go to
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd and change
the value of ImagePath to “%ProgramFiles%\WinPcap\rpcapd.exe” –d –n :
-d This
switch forces the daemon to run in background.
-n It permits NULL
authentication.
- Start the above
service on a remote system leaving its type to Manual, and now, go back to
a system from which you are planning to capture traffic and execute the
“dumpcap” command similar to below:
dumpcap -i
"rpcap://testprod2-2012/\Device\NPF_{27CA4CA8-0C06-4447-8A60-9A01575ECEA1}"
-B 1 -b filesize:500 -b files:2 -w C:\temp\test.pcapng
-i <capture interface> This
switch is used to specify the network interface card that you want to capture
the network traffic for. In the
above command, “testprod2-2012” is the remote server and “\Device\NPF_{27CA4CA8-0C06-4447-8A60-9A01575ECEA1}”
is the network interface card on “testprod2-2012”
server.
If you want to know the name of the network
interface cards available on a remote server, log into a remote server, and run
this command to list the network interface cards:
dumpcap -D
Example below shows how you can run dumpcap.exe to capture network traces for a local machine.
c:\Program Files\Wireshark>dumpcap.exe -i Ethernet -b filesize:500 -b files:2 -a duration:120 -w C:\Users\ns240822\Documents\test.pcapng
In the above command, the switch “-b filesize:500” will limit the size of each capture file to 500KB maximum, and the switch “-b files:2” will retain only last two capture files at any time. For the stop condition, I have used the switch “-a duration:120”, which will stop the network packets capturing after 120 seconds. The below screenshot shows the last two capture files retained after the execution of above command:
Help Information on dumpcap:
Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap’s native capture file format is pcapng, which is also the format used by Wireshark.
Without any options set it will use the pcap library to capture traffic from the first available network interface and write the received raw packet data, along with the packets' time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library.
For dumpcap usage information, type in “dumpcap –h” in command prompt window and hit Enter key.
c:\Program Files\Wireshark>dumpcap.exe -i Ethernet -b filesize:500 -b files:2 -a duration:120 -w C:\Users\ns240822\Documents\test.pcapng
In the above command, the switch “-b filesize:500” will limit the size of each capture file to 500KB maximum, and the switch “-b files:2” will retain only last two capture files at any time. For the stop condition, I have used the switch “-a duration:120”, which will stop the network packets capturing after 120 seconds. The below screenshot shows the last two capture files retained after the execution of above command:
Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap’s native capture file format is pcapng, which is also the format used by Wireshark.
Without any options set it will use the pcap library to capture traffic from the first available network interface and write the received raw packet data, along with the packets' time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library.
For dumpcap usage information, type in “dumpcap –h” in command prompt window and hit Enter key.
Links for further reading:
Comments
Post a Comment