問題描述
如何在Windows環境中,不安裝第三方軟件的情況下(使用Windows內置指令),如何抓取網絡包呢?並且如何轉換為Wireshark 格式呢?
操作步驟
1) 以管理員模式打開CMD,使用 netsh trace start capture=yes 命令開始抓取網絡包,當需要停止時候,使用 netsh trace stop 指令。
## 開始抓取
netsh trace start capture=yes ## 停止抓取 netsh trace stop ####執行結果 C:\LBWorkSpace\tool\nettrace1\newworktrace>netsh trace start capture=yes Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\Users\xxxx\AppData\Local\Temp\NetTraces\NetTrace.etl Append: Off Circular: On Max Size: 512 MB Report: Off C:\LBWorkSpace\tool\nettrace1\newworktrace>netsh trace stop Merging traces ... done Generating data collection ... done The trace file and additional troubleshooting information have been compiled as "C:\Users\xxxx\AppData\Local\Temp\NetTraces\NetTrace.cab". File location = C:\Users\xxxx\AppData\Local\Temp\NetTraces\NetTrace.etl Tracing session was successfully stopped.
如果之抓取指定IP地址的網絡包,可以使用如下命令:
netsh trace start capture=yes IPv4.Address=X.X.X.X
抓取動畫效果為:
2) 使用 etl2pcapng.exe 工具進行格式轉換,使用命令:
etl2pcapng.exe nettrace.etl nettrace.cap
3) 雙擊 nettrace.cap 打開 WireShark查看網絡包,使用 ip.addr == xxx.xxx.xxx.xxx 多包中的內容進行過濾
ip.addr == xxx.xxx.xxx.xxx or ip.addr == xxx.xxx.xxx.xxx
附錄一:根據IP地址過濾Wireshark文件包,只導出特定的IP網絡包
1)在Filter 輸入框中輸入過濾的IP地址: 如 ip.addr == 27.xxx.xxx.xxx
2)選擇 File --> Export Specified Packets --> Save
參考資料
etl2pcapng.exe 工具下載地址:https://files.cnblogs.com/files/lulight/etl2pcapng.zip
Wireshark 下載地址:https://www.wireshark.org/#download
How can I perform a packet capture in Windows with built-in utility? https://www.sonicwall.com/support/knowledge-base/how-can-i-perform-a-packet-capture-in-windows-with-built-in-utility/170905204545360/