How to capture network traffic during logon

[CoffeeFiend]

After looking at yet another entry on Mark Russinovich's blog, I figured I'd share this info with everyone.

We had a computer that would logon really, really slowly. It didn't seem to be the user profile, it wasn't some bad processes, the event log didn't really have anything useful, nor did any log files (including userenv.log).

So I decided to capture the network traffic, using Wireshark. The problem is, how are you supposed to keep wireshark running (dumping packets) when you log off and log in again? Here's how:

First, Wireshark must be installed (duh...) and you have to have psexec handy, on the local machine, or another one handy, depending on where you want to start the capture from.

Next, you're going to need to know the index of the network interface it should capture from. Open a cmd prompt, go in your wireshark install folder and type:

dumpcap -D

Yes, that is case sensitive. You should see something a list of interfaces, the physical adapter should stand out. On this box, it shows up as:

2. \Device\NPF_{7CBB213B-F378-4C1C-9AA8-D9406AEAF85E} (Realtek RTL8168B/8111B PCI-E Gigabit Ethernet NIC)

That would mean I have to use index 2.

If you start it locally, you'll be logging the logout traffic first. So you can log off from the machine that you want to capture traffic with, and run the command on a remote computer instead. Here's the important part to do it locally:

psexec -d -s "c:\program files\wireshark\dumpcap.exe" -i 2

Assuming it's installed in "c:\program files\wireshark\". Feel free to use environment variables like %ProgramFiles% or %ProgramFiles(x86)%, or "Program Files (x86)", or whatever it's named on your system. I'm sure you can figure that part out. Notice the 2 at the end of the command line. Replace this with the index of *your* network interface (it was 2 in my case). If you pick the wrong index, it won't capture anything. Now logoff, and logon again, it'll capture both. You can wait a few seconds before loging in, and use that gap to filter the capture later (i.e. using frame.time_relative >= 123 where 123 is the time where you want it to start)

If you want to run it remotely, you may have to use psexec's -u and -p switches so you're allowed to spawn the remote process on the other box i.e. if you're not in a domain (you can try remotely spawning calc.exe or something like that first, see if that works). This works fine:

psexec \\remote_computer_name -d -s -u your_username -p your_pwd "c:\program files\wireshark\dumpcap.exe" -i 2

Then just login (you'll have just the login captured, unlike if you want it locally).

Once the login process is complete, start task manager (ctrl-shift-esc) and end task on dumpcap.exe so it stops capturing.

You now have a capture file inside c:\windows\temp named something like wiresharkXXXX?????? or similar (the last characters change). Just open it in wireshark and have at it!

[DigeratiPrime]

Yup that shoud work good.

Another way if you have Windows 7 is to run from an elevated command prompt: "netsh trace start capture=yes persistent=yes" then "netsh trace stop".

This will create a file NetTrace.etl which can be opened with Network Monitor.

Install the latest parsers and use the following display filter "NDISPacCap_MicrosoftWindowsNDISPacketCapture".

[tain]

Interesting. I have a project coming up in which this might come in handy. Thanks!