- Creating a complete memory dump without a Blue Screen - Mon, Apr 27 2020
- How to access the SAM and SECURITY hives in the Registry using the SYSTEM account - Thu, Apr 16 2020
- Capturing error messages and looking up text for error code numbers - Mon, Apr 13 2020
This process requires that the remote computer has Windows 7 or higher and that you can run PSEXEC.exe on it (available at Sysinternals). You could do the same with PowerShell remoting as well. Anything that can launch a process on the remote computer will do.
First, we need to start the trace on the remote computer. We will do this with the following command:
PSEXEC -d \\DEMOCLIENT1 netsh trace start capture=yes tracefile=c:\temp\capture.etl maxsize=512 filemode=circular overwrite=yes report=no correlation=no IPv4.SourceAddress=(192.168.0.10,192.168.0.11) IPv4.DestinationAddress=(192.168.0.10,192.168.0.11) Ethernet.Type=IPv4
You can alter what gets captured and how much data can be captured. In this example, we trace between two IP addresses, only on IPv4 and using a circular log with a maximum size of 512 MB.
Next, we will just generate some traffic to fill our trace using Ping.exe.
Next, we need to stop the trace on the remote computer with:
PSEXEC -d \\DEMOCLIENT1 netsh trace stop
Now we need to copy over the trace file with a command such as this, for example:
XCOPY \\DEMOCLIENT1\C$\Temp\capture.etl c:\temp
If you still have Message Analyzer (it's been deprecated), you can now open the trace file locally. If you don't or you just prefer to use Wireshark, follow along.
If you have Message Analyzer but prefer to use Wireshark, you can export the file to another format.
And then you can open it in Wireshark.
If you don't have Message Analyzer, you should head for the conversion tool on Github.
The syntax is simple:
Etl2pcapng.exe c:\temp\capture.etl c:\temp\capture.pcapng
Now you can open it again in Wireshark.