Things I'd do if I ever have time

Wish list

Please help a man further his career by donating expensive hardware. Cash works too.

Sniffing Traffic at the Windows Command Line

Published: 06/16/2010

So here's a common scenario: a user opens a Sev 1 ticket (due to something mission-critical being interrupted ... like checking an eBay auction) and states that he "can't connect to server ABC." Details in the ticket say something about "the browser window is blank" or "I get a connection error." Ambiguous clues, as usual.

Sometimes the problem is easy and common sense resolves it within a few questions, but sometimes it's more complex and requires digging deeper into the network traffic. But what happens if you don't have the luxury of setting up a SPAN port that can listen in on the user's machine or can't walk over to the user's location and perform a trace right then and there? You certainly can't expect the user to perform packet analysis. It's not in their job description.

That's where you as "the computer guy" come into the picture with our friend tshark.exe, located under %ProgramFiles%\Wireshark by default. This is a command-line utility that comes with a Wireshark installation. If the client machine doesn't have Wireshark installed, you can point the user to and have them quickly download and install it blindly. It's only thirteen presses of the Enter key and voilà, you now have a capture driver and sniffer application installed. The rest is up to you now, assuming, of course, that the user is able to send / receive files with you.

It kinda looks like tcpdump, but it isn't...

Most laptops these days have at least two interfaces (Ethernet and Wi-Fi). How do we determine which one to listen on? Let's list the existing interfaces with this simple parameter (run this under %ProgramFiles%\Wireshark):

tshark -D

1. \Device\NPF_{A277B78C-C644-45B6-A568-E2AC1139C0F0} (Realtek RTL8139/810x)
2. \Device\NPF_{BBCD384E-AC1F-467C-B9A8-9BF3173D1C20} (Intel(R) PRO/1000 PL)
3. \Device\NPF_{0635A275-99B8-438D-B3C3-7D22767C8047} (Microsoft)

As you can see, on my test system there are a total of three interfaces to capture from. For this article, interface 2 is the winner. We'll use the "n" parameter in the sample commands below to ensure that we don't incur the overhead and additional traffic which gets generated for name resolution lookups.

Basic capture on interface 2 to get started:

tshark.exe -ni 2

Capture on interface 2, write to a file, and show capture output (if you don't use the -S option, then all that will be displayed is an incrementing captured packet count):

tshark.exe -ni 2 -w c:\trace.cap -S

Capture on interface 2, write to a file, but only capture for 30 seconds:

tshark.exe -ni 2 -w c:\trace.cap -a duration:30

Use a ringbuffer, perform 3 captures of 15 seconds each, and write to individual files for each:

tshark.exe -ni 2 -w c:\trace.cap -b duration:15 -a files:3

Use the -R parameter to specify a filter (in this case removing all traffic occurring over TCP 3389, typically used by Remote Desktop):

tshark.exe -ni 2 -R !tcp.port==3389

Another example of this with the filter just to look for ICMP and DNS traffic:

tshark.exe -ni 2 -R "icmp or dns"

There are plenty more command parameter options, but this will get you started.

Help the user help you

So once tshark.exe is available on the user's machine, just e-mail a batch file to the user with the tshark.exe CLI options you need:

   Show example script

... ask the user save it to the desktop, and then right before the user is about to reproduce the problem, have him run the batch file to start the capture. The great thing is that the user doesn't need administrator privileges to run this, although he won't be able to install WinPcap without it to begin with. You may need to provide him some clues when presented which interface to capture on. When finished, he can Cntl+C in the CLI window when problem is reproduced (this extra step can be avoided if the batch script is only set to capture for a short time duration).

Now the user just has to send this new file (located on the desktop) to you, the IT guy who has to figure it out. Have fun. Just be sure to have the user uninstall WinPcap and Wireshark afterwards.

Too old school for tshark?

Some of you have ingrained habits which you can't (or don't want to) shake. You're used to tcpdump. Except, of course, this is Windows, so you have to use the equivalent tool windump. However, it doesn't come with WinPcap so the user would have to separately install this anyway. For this reason alone, I would opt for a Wireshark install since it rolls everything you need into one package.

Go back to the main articles list.