Tuesday, August 11, 2020

Beginning packet capturing with Windows Built in Packet Monitor (pktmon) packet capturing tool

Recently while doing some unrelated research, I came across this link from www.bleepingcomputer.com about Windows having a built in sniffer. I am aware of being able to use "netsh trace" to perform packet capturing but this seems like a better option. I may be wrong. Windows having built in sniffer  is a good thing, as most of us who work with Linux are accustomed to having "tcpdump" there by default in most cases. What I like about the "pktmon.exe" version on my Windows 10 (2004), is that it support pcapng format.

Here is Microsoft's note on pktmon.exe.

"Packet Monitor (PacketMon) is an in-box cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting. The tool is especially helpful in virtualization scenarios like container networking, SDN, etc. It is available in-box via pktmon.exe command, and via Windows Admin Center extensions."

In this post, I will be walking through "pktmon" with as much detail as possible. Most of the resources I found online basically gave a somewhat superficial view of this tool. My intention is to make this your one-stop shop for how to use Packet Monitor.

First up, we need to ensure our terminal is running with elevated privileges.

Once in the elevated terminal, let's look at the help

C:\Users\SecurityNik>pktmon help
pktmon { filter | comp | reset | start | stop } [OPTIONS | help]
    Monitor internal packet propagation and packet drop reports.

Commands
    filter     Manage packet filters.
    comp       Manage registered components.

    reset      Reset counters to zero.
    start      Start packet monitoring.
    stop       Stop monitoring.
    format     Convert log file to text.
    pcapng     Convert log file to pcapng format.
    unload     Unload PktMon driver.

help
    Show help text for a command.

If you need help for a particular component, you can use for example "pktmon filter help"

C:\Users\SecurityNik>pktmon filter help
pktmon filter { list | add | remove } [OPTIONS | help]

Commands
    list      Display active packet filters.
    add       Add a filter to control which packets are reported.
    remove    Removes all filters.

help
    Show help text for a command.

Before we begin, let's look at the registered components via "pktmon.exe comp help"

C:\Users\SecurityNik>pktmon comp help
pktmon comp { list | counters } [OPTIONS | help]

Commands
    list        List all active components.
    counters    Display current per-component counters.

help
    Show help text for a command.

If we look further at the help via "pktmon comp list help", we see we can show components that are hidden by default as well as specify the output to be json.

C:\Users\SecurityNik>pktmon comp list help
pktmon [comp] list
    List all active components.

-i, --show-hidden
    Show components that are hidden by default.

--json
    Output the list in JSON format.

At this point, we see we can list all active components via "pktmon comp list'. We will use the default output rather than json.

C:\Users\SecurityNik>pktmon comp list --show-hidden | more
VirtualBox Host-Only Ethernet Adapter
    Id: 13
    Driver: VBoxNetAdp6.sys
    MAC Address: 0A-00-27-00-00-05
    ifIndex: 5

    Filter Drivers:
        Id Driver      Name
        -- ------      ----
        38 wfplwfs.sys WFP Native Filter
        36 pacer.sys   QoS Packet Scheduler
        35 wfplwfs.sys WFP 802.3 Filter

    Protocols:
        Id Driver          Name        EtherType
        -- ------          ----        ---------
        96 tcpip.sys       TCPIP6      IPv6
        91 tcpip.sys       TCPIP       ARP, IPv4
        84 mslldp.sys      MSLLDP      LLDP
        83 rspndr.sys      RSPNDR      VLAN, LLTD
        82 vmnetbridge.sys VMNETBRIDGE * (All)
        81 ndisuio.sys     NDISUIO     88c7, VLAN, 802.1X
        80 lltdio.sys      LLTDIO      * (All)

    Application Protocols:
         Id Driver   Name IP Address
         -- ------   ---- ----------
        107 http.sys HTTP fe80::910f:2448:7235:77be
        101 http.sys HTTP 10.0.0.1

    ... <TRUNCATED FOR BREVITY> ...

From the output returned above, we see information on protocol, drivers, IPv4 and IPv6 addresses, etc.

Let's now look at the help for the counters via "pktmon comp counters help"

C:\Users\SecurityNik>pktmon comp counters help
pktmon [comp] counters [-t { all | drop | flow }] [-z] [--json]
    Display current per-component counters.

-t, --counter-type
    Select which types of counters to show.
    Supported values are all counters (default), drops only, or flows only.

-z, --show-zeros
    Show counters that are zero in both directions.

-i, --show-hidden
    Show components that are hidden by default.

--json
    Output the counters in JSON format.

Let's now look at the counters via "pktmon comp counters --counter-type all --show-hidden"

C:\Users\SecurityNik>pktmon comp counters --counter-type all --show-hidden
All counters are zero.

Now that we have a better understanding of the registered components, let's move to setting up our first a filter to capture traffic for a specific MAC address.

Let's verify if any filters exist via "pktmon filter list"

C:\Users\SecurityNik>pktmon filter list
There are no packet filters.

Time for our first filter. First, let's look at the help for adding a filter via "pktmon filter add help"

C:\Users\SecurityNik>pktmon filter add help
pktmon filter add <name> [-m mac [mac2]] [-v vlan] [-d { IPv4 | IPv6 | number }]
                         [-t { TCP [flags...] | UDP | ICMP | ICMPv6 | number }]
                         [-i ip [ip2]] [-p port [port2]] [-e [port]]
    Add a filter to control which packets are reported. For a packet to be
    reported, it must match all conditions specified in at least one filter.
    Up to 8 filters can be active at once.

    NOTE1: When two MACs (-m), IPs (-i), or ports (-p) are specified, the filter
           matches packets that contain both. It will not distinguish between source
           or destination for this purpose.

name
    Optional name or description of the filter.

Ethernet frame
    -m, --mac[-address]
        Match source or destination MAC address. See NOTE1 above.

    -v, --vlan
        Match by VLAN Id (VID) in the 802.1Q header.

    -d, --data-link[-protocol], --ethertype
        Match by data link (layer 2) protocol. Can be IPv4, IPv6, ARP, or
        a protocol number.

IP header
    -t, --transport[-protocol], --ip-protocol
        Match by transport (layer 4) protocol. Can be TCP, UDP, ICMP, ICMPv6, or
        a protocol number.
        To further filter TCP packets, an optional list of TCP flags to match can
        be provided. Supported flags are FIN, SYN, RST, PSH, ACK, URG, ECE, and CWR.

    -i, --ip[-address]
        Match source or destination IP address. See NOTE1 above.
        To match by subnet, use CIDR notation with the prefix length.

TCP/UDP header
    -p, --port
        Match source or destination port number. See NOTE1 above.

Encapsulation
    -e, --encap
        This filter also applies to encapsulated inner packets, in addition to the outer
        packet. Supported encapsulation methods are VXLAN, GRE, NVGRE, and IP-in-IP.
        Custom VXLAN port is optional, and defaults to 4789.

Example 1: Ping filter
        pktmon filter add MyPing -i 10.10.10.10 -t ICMP

Example 2: TCP SYN filter for SMB traffic
    pktmon filter add MySmbSyn -i 10.10.10.10 -t TCP SYN -p 445

Example 3: Subnet filter
    pktmon filter add MySubnet -i 10.10.10.0/24

Next we configure a capture for traffic with MAC address "0A-00-27-00-00-05" which we learned about above, when we looked at the registered components and is associated with "VirtualBox Host-Only Ethernet Adapter" and IP address "10.0.0.1"

C:\Users\SecurityNik>pktmon filter add VBox-Mac --mac  0A-00-27-00-00-05
Filter added.

Verify the filter exists by listing the filters again.

C:\Users\SecurityNik>pktmon filter list
 # Name     MAC Address
 - ----     -----------
 1 VBox-Mac 0A-00-27-00-00-05

Let's now look at the help for starting a capture

C:\Users\SecurityNik>pktmon start help
pktmon start [-c { all | nics | [ids...] }] [-d] [--etw [-p size] [-k keywords]]
             [-f] [-s] [--log-mode {circular | multi-file | real-time | memory}]
    Start packet monitoring.

-c, --components
    Select components to monitor. Can be all components, NICs only, or a
    list of component ids. Defaults to all.

-d, --drop-only
    Only report dropped packets. By default, successful packet propagation
    is reported as well.

ETW Logging
    --etw
        Start a logging session for packet capture.

    -p, --packet-size
        Number of bytes to log from each packet. To always log the entire
        packet, set this to 0. Default is 128 bytes.

    -k, --keywords
        Hexadecimal bitmask (i.e. sum of the below flags) that controls
        which events are logged. Default is 0x012.

        Flags:
        0x001 - Internal Packet Monitor errors.
        0x002 - Information about components, counters and filters.
                This information is added to the end of the log file.
        0x004 - Source and destination information for the first
                packet in NET_BUFFER_LIST group.
        0x008 - Select packet metadata from NDIS_NET_BUFFER_LIST_INFO
                enumeration.
        0x010 - Raw packet, truncated to the size specified in
                [--packet-size] parameter.

    -f, --file-name
        .etl log file. Default is PktMon.etl.

    -s, --file-size
        Maximum log file size in megabytes. Default is 512 MB.

    -l, --log-mode
        Select logging mode. Default is circular.

        circular
            New events overwrite the oldest ones when
            when the maximum file size is reached.

        multi-file
            A new log file is created when the maximum file size is reached.
            Log files are sequentially numbered. PktMon1.etl, PktMon2.etl, etc.

        real-time
            Display events and packets on screen at real time. No log file is created.
            Press Ctrl+C to stop monitoring.

        memory
            Events are written to a circular memory buffer.
            Buffer size is specified in [--file-size] parameter.
            Buffer contents is written to a log file during stop operation.

Picking the "--log-mode" as "real-time" mode to start things off. After setting up the filter, we then do a "ping 10.0.0.104". Remember, to cancel this monitor session, hit "CTRL+C" after which you should see "Flushing logs..."

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time
Active measurement started.
Processing...

21:31:10.816725700 PktGroupId 1, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 85, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816732400 PktGroupId 1, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 36, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816734200 PktGroupId 1, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 36, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816735900 PktGroupId 1, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 38, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816742000 PktGroupId 1, PktNumber 1, Appearance 5, Direction Tx , Type Ethernet , Component 38, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816743500 PktGroupId 1, PktNumber 1, Appearance 6, Direction Tx , Type Ethernet , Component 13, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
Flushing logs...

.... <TRUNCATED FOR BREVITY> ....

Here is what my ping looked like.

C:\Users\SecurityNik>ping 10.0.0.104 -n 1

Pinging 10.0.0.104 with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.0.104:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

If we revisit the help above about "real-time" logging, it states "Display events and packets on screen at real time. No log file is created." However, when I look on my file system, a file with the default filename was created as seen below. Maybe I am missing something.

C:\Users\SecurityNik>dir PktMon.etl
 Volume in drive C is OS
 Volume Serial Number is D436-4013

 Directory of C:\Users\SecurityNik

2020-08-07  09:42 PM        50,331,648 PktMon.etl
               1 File(s)     50,331,648 bytes
               0 Dir(s)  34,686,263,296 bytes free

If you are reading this blog and know why a file was created even though I told it to do "real-time" logging, please let me know what I might have missed.

C:\Users\SecurityNik>pktmon filter remove 
Removed all filters.

Above we removed the previously configured filters. It does not look like there is an option at present to remove a specific filter.

Let's run another filter which focuses on ARP packets.

Once again, let's set and verify a filter.

C:\Users\SecurityNik>pktmon filter add ARP-Capture --ethertype arp
Filter added.

C:\Users\SecurityNik>pktmon filter list
 # Name        EtherType
 - ----        ---------
 1 ARP-Capture ARP

Starting the capture in "real-time" mode.

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time
Active measurement started.
Processing...

21:54:33.326462700 PktGroupId 7, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.......
21:54:36.322822700 PktGroupId 8, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28
21:54:36.322828200 PktGroupId 8, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 11, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28
Flushing logs...

Now that we know how to capture ARP packets, let's move up the stack. Once again, delete all defined filters.

C:\Users\SecurityNik>pktmon filters remove
Removed all filters.

Let's continue at the IP layer. Time to add a filter to look for ICMP (protocol 1) packets to destination 9.9.9.9. After setting the filter, we verify its creation.

C:\Users\SecurityNik>pktmon filter add IP-TCP --data-link IPv4 --ip-protocol 1 --ip-address "9.9.9.9"
Filter added.

C:\Users\SecurityNik>pktmon filter list
 # Name   EtherType Protocol IP Address
 - ----   --------- -------- ----------
 1 IP-TCP IPv4      ICMP     9.9.9.9

Once again capturing to the screen, while setting the packet size option to "1500" bytes. 

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time --packet-size 1500
Active measurement started.
Processing...

22:12:01.498988200 PktGroupId 844424930131972, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 74: 192.168.0.62 > 9.9.9.9: ICMP echo request, id 1, seq 6, length 40
... <TRUNCATED FOR BREVITY> ...
22:12:01.600308300 PktGroupId 281474976710661, PktNumber 1, Appearance 5, Direction Rx , Type Ethernet , Component 76, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74
        F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40
22:12:01.600310300 PktGroupId 281474976710661, PktNumber 1, Appearance 6, Direction Rx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74
        F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40
Flushing logs...

Looks good so far. Once again, delete the filter and let's extend the last filter.

Here is what my ping looked like. Remember, this needs to be executed after starting the filter.

C:\Users\SecurityNik>ping -n 1 9.9.9.9

Pinging 9.9.9.9 with 32 bytes of data:
Reply from 9.9.9.9: bytes=32 time=753ms TTL=54

Ping statistics for 9.9.9.9:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 753ms, Maximum = 753ms, Average = 753ms


C:\Users\SecurityNik>pktmon filter remove
Removed all filters.

Modifying and extending the previous filter, we now look for TCP traffic on port 443 where the SYN flag is set. Note below, this will also show packets with both the SYN and ACK flags set. I am not aware of a way of isolating the filter to only one specific flag at this time.

C:\Users\SecurityNik>pktmon filter add IP-TCP-SYN-443 --data-link IPv4 --ip-address 172.217.2.115 --transport-protocol tcp SYN --port 443
Filter added.

C:\Users\SecurityNik>pktmon filters list
 # Name           EtherType Protocol  IP Address    Port
 - ----           --------- --------  ----------    ----
 1 IP-TCP-SYN-443 IPv4      TCP (SYN) 172.217.2.115  443

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time --packet-size 1500
Active measurement started.
Processing...

23:02:26.539704700 PktGroupId 562949953421500, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:02:26.539709400 PktGroupId 562949953421500, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:02:26.539712200 PktGroupId 562949953421500, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:02:26.539714000 PktGroupId 562949953421500, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:02:26.599504500 PktGroupId 1688849860264106, PktNumber 1, Appearance 1, Direction Rx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 66: 172.217.2.115.443 > 192.168.0.62.65066: Flags [S.], seq 546326696, ack 1995496357, win 60720, options [mss 1380,nop,nop,sackOK,nop,wscale 8], length 0
23:02:26.599510100 PktGroupId 1688849860264106, PktNumber 1, Appearance 2, Direction Rx , Type Ethernet , Component 32, 
... <TRUNCATED FOR BREVITY>....

Here is what my PSPing looked like.

C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443

PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP connect to 172.217.2.115:443:
Infinite iterations (warmup 1) ping test:
Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:65066: 63.67ms

  Sent = 0, Received = 0, Lost = 0 (0% loss),
  Minimum = 0.00ms, Maximum = 0.00ms, Average = 0.00ms
Control-C
^C

Maybe you have learned about a specific session, on a particular pair of IP addresses and ports that you should be monitoring. Specifically, let's say there is a SSH session on "192.168.0.62:53726" and "192.168.0.4:22" as shown by the "nestat" output below.

C:\Users\SecurityNik>netstat -anop tcp | findstr /i "est" | findstr ":22"
  TCP    192.168.0.62:53726     192.168.0.4:22         ESTABLISHED     23548

A filter such as the following can be used.

C:\Users\SecurityNik>pktmon filter add --ip-address 192.168.0.4 192.168.0.62 --transport-protocol tcp --port 53726 22
Filter added.

Starting the capture and looking at the results, we see.

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time
Active measurement started.
Processing...

10:25:13.196576300 PktGroupId 1688849860264110, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90
        40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36
10:25:13.196581200 PktGroupId 1688849860264110, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90
        40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36
10:25:13.196584200 PktGroupId 1688849860264110, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90
        40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36
10:25:13.196585800 PktGroupId 1688849860264110, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90
        40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36
...<TRUNCATED FOR BREVITY>...

At this point, we should have a good idea how to capture packets through the OSI or TCP/IP model. We first captured at the network access layer. This was then followed by capture at the internet layer, moving to the transport layer and then the application layer, looking at packets on port 443 and 22.

Let's now write this out to output files, using the default name.

Using the previous filter.

C:\Users\SecurityNik>pktmon filter list
 # Name           EtherType Protocol  IP Address    Port
 - ----           --------- --------  ----------    ----
 1 IP-TCP-SYN-443 IPv4      TCP (SYN) 172.217.2.115  443

Starting the capture in a "Multifile" mode with maximum file size of 1GB (1000MB)

C:\Users\SecurityNik>pktmon start  --etw --log-mode multi-file --file-size 1000

Log file name:     C:\Users\SecurityNik\PktMon%d.etl
Logging mode:      Multifile
Maximum file size: 1000 MB

Active measurement started.

Now that the capture has started, let's look at the counters after generating some traffic to "www.securitynik.com" via "psping".

C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443

PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP connect to 172.217.2.115:443:
Infinite iterations (warmup 1) ping test:
Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:49688: 38.02ms
Connecting to 172.217.2.115:443: from 192.168.0.62:49689: 39.07ms

Looking at the counters.

C:\Users\SecurityNik>pktmon counters --show-hidden

Killer(R) Wi-Fi 6 AX1650s 160MHz Wireless Network Adapter (201D2W)
 Id Name                       Counter  Direction     Packets          Bytes | Direction     Packets          Bytes
 -- ----                       -------  ---------     -------          ----- | ---------     -------          -----
 33 Native WiFi Filter Driver  Upper    Rx                  6            396 | Tx                  6            396
 32 VirtualBox NDIS Light-W... Upper    Rx                  6            396 | Tx                  6            396
 31 QoS Packet Scheduler       Upper    Rx                  0              0 | Tx                  6            396
                                                                             |
 90 TCPIP (NDIS)               Lower    Rx                  6            396 | Tx                  6            396
 76 VMNETBRIDGE                Lower    Rx                  6            396 | Tx                  0              0
 75 NDISUIO                    Lower    Rx                  6            396 | Tx                  0              0
 74 LLTDIO                     Lower    Rx                  6            396 | Tx                  0              0

Let's now stop the capture.

C:\Users\SecurityNik>pktmon stop
Stopped active measurement.
Flushing logs...
Log file: C:\Users\SecurityNik\PktMon1.etl (No events lost)

Now that we have the file, let's convert it to two different outputs. First, let's change it to text.

Looking at the help for "format" via "pktmon.exe format help"

C:\Users\SecurityNik>pktmon.exe format help
pktmon format log.etl [-o log.txt] [-b] [-v [level]] [-x] [-e] [-l [port]
    Convert log file to text format.

-o, --out
    Name of the formatted text file.

-s, --stats-only
    Display log file statistical information.

Network packet formatting options

    -b, --brief
        Abbreviated packet format.

    -v, --verbose
        Verbosity level [1..3].

    -x, --hex
        Hexadecimal format.

    -e, --no-ethernet
        Don't print ethernet header.

    -l, --vxlan
        Custom VXLAN port.

Looking first at the statistics of of the previously captured data in the "PktMon1.epl" file

C:\Users\SecurityNik>pktmon format PktMon1.etl  --stats-only --verbose
Processing...

Start time              2020-08-07 23:17:46.996574700
Stop time               2020-08-07 23:22:43.422846700
Events total            788
Manifest-based events   788
WPP events              0

Provider                Microsoft-Windows-PktMon
Keywords                0000000000000012
Manifest-based events   788

Sending the output to a text file name "securitynik-pktmon.txt"

C:\Users\SecurityNik>pktmon format PktMon1.etl --out securitynik-pktmon.txt --verbose
Processing...

Events formatted:  788
Formatted file:    securitynik-pktmon.txt

Peaking into the "securitynik-pktmon.txt" file, we see.

C:\Users\SecurityNik>type securitynik-pktmon.txt | more
23:20:28.736260500 PktGroupId 1407374883553375, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:20:28.736265200 PktGroupId 1407374883553375, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    ... <TRUNCATED FOR BREVITY> ...

Let's now get the "PktMon1.epl" file to our analysis machine where we have TShark/Wireshark installed. Here we once again do some conversion.

As always, looking at the help.

C:\Users\SecurityNik>pktmon pcapng help
pktmon pcapng log.etl [-o log.pcapng]
    Convert log file to pcapng format.
    Dropped packets are not included by default.

-o, --out
    Name of the formatted pcapng file.

-d, --drop-only
    Convert dropped packets only.

-c, --component-id
    Filter packets by a specific component ID.

Let's now convert the file.

C:\Users\SecurityNik>pktmon pcapng PktMon1.etl --out securitynik-pktmon.pcapng
Processing...

Packets total:     60
Packet drop count: 0
Packets formatted: 60
Formatted file:    securitynik-pktmon.pcapng

Reading the packets with TShark.

C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n | more
    1   0.000000 192.168.0.62 → 172.217.2.115 TCP 66 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
    2   0.000005 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
    3   0.000006 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
    4   0.000008 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
    ... <TRUNCATED FOR BREVITY> ...

Looking at the protocol hierarchy in TShark

C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n -z io,phs -q

===================================================================
Protocol Hierarchy Statistics
Filter:

eth                                      frames:60 bytes:3960
  ip                                     frames:60 bytes:3960
    tcp                                  frames:60 bytes:3960
===================================================================


No comments:

Post a Comment