Capturing network trace in Windows

By Tomica Kaniski in Other 0 Comment

Do you need to capture some network traffic on a Windows box for further analysis, but don’t want to install additional software just… everywhere?

I usually do.

If you didn’t know, Windows has built-in tool with which you can do just that – (among other things) capture network trace to a file for further analysis. The tool is called netsh.

So, how do you capture traffic with netsh?

It’s fairly easy (for more options, filters and such, you can always check the accompanying help content – netsh trace start ?):

If you look at the location where you’ve saved your trace, you’ll see two files – of those two files, MyTrace.etl is the one you want:

OK, but what do you do with it?

If you try to open it with, for example, WireShark, you’ll see it doesn’t work:

So… we have a trace file with which we can’t really do anything?!?

Not exactly!

If you have Microsoft Network Monitor (now archived, but can be found… on the Internet) or Microsoft Message Analyzer (now retired), you can open up and analyze your trace as you normally would:

If you already have WireShark on, let’s say, your workstation, and want to continue using it for the analysis, this trace needs to be converted to a format which WireShark understands (hope that one day we’ll have WireShark which opens such .etl files natively).

You can convert it by using the free tool called etl2pcapng.

It doesn’t require installation, and if you want to use the pre-compiled binaries, they are available under etl2pcapng releases.

So, convert your (netsh) MyTrace.etl to (WireShark’s) MyTrace.pcapng with this command:

Once converted, you can open the new file (MyTrace.pcapng) in WireShark, and do what you would usually do to analyze it:

Hope this helps!

Cheers!

Resetting the switch – the harder way

By Tomica Kaniski in Other 0 Comment

Do you remember the (good) old Catalyst 500 series switches from Cisco?
I don’t think that they are something special nowadays (being the end-of-sale and end-of-life products), but if they are in working condition – fine, I can use them.

(if you are wondering what I’m talking about, here’s the picture)

WSCE500G12TCb

Anyhow, I’ve found one the other day (near mint condition), and wanted to make use of it in my lab. The only problem with it was that its password and IP and everything else was changed from factory defaults, without any note or document saying into what. Smile

So, the adventure begins…

Well, yes, you can say “But the switch works (at least the switching works). Why would any of this be a problem?”. The truth – I’ve had some spare time, and not having the complete access to my newfound piece of hardware was bugging me… Smile

The first thing I’ve tried was browsing the Cisco website for instructions on how to reset this type of switch. Note that this switch doesn’t have the ‘console’ interface, only web management. Soon I’ve found this article, explaining the whole process in great detail. Following the official instructions, I’ve come to the the part where my PC had to get the dynamic IP from the switch, but it was unable to get it (my PC actually got an APIPA address, but the other side wasn’t responding to queries on 169.254.0.1).

As per instructions, my switch could get either 169.254.0.1 or a 10.0.0.1 IP address, and I can easily set fixed IP on my PC and the problem will be solved. The thing that was bothering me is that I haven’t received the IP address from switch, as I should have and the question is why? I’ve discovered that I’m not the only one facing this issue – there’s even an article about this issue on Microsoft Answers. So, the problem seems to be in my DHCP BROADCAST flag on my PC (which is running Windows 10 Technical Preview, by the way). Long story short, the workaround provided didn’t help in my case.

And then I’ve taken another approach:

  • find out which address my switch has at the “setup time” (switch should be “talking” something during the setup, and probably a tool like WireShark or Microsoft Message Analyzer (great and free tool, by the way), can catch this “talk”)
  • set up my PC to the corresponding IP
  • try to access the configuration page
  • set up the router as I want to

So I’ve set up WireShark on my PC and started capturing the traffic… a lot of traffic… traffic that needs to be filtered by something. But what should the filter be?

Not so long ago, when my girlfriend was learning for her CCNA exam, she mentioned something called Cisco Discovery Protocol (CDP) and I’ve remembered that maybe this thing can help me now… so, I’ve entered the ‘cdp’ as a filter in WireShark and voilà – now I have something that actually seems useful!

image

From there, I’ve explored the CDP information in these filtered packets. In there, there is something called ‘Management Addresses’, which should be just the thing I’m looking for. And it is! I’ve seen that my switch actually has an IP of 169.254.180.146! It’s also safe to say that I never would have guessed it… would you? Smile

image

So, now I have the IP address of the management interface on my switch, and when I try to open it using my browser, I’ve got this:

image

Now comes the easy part – I’ve erased the system configuration, set the new one and this switch is finally ready to be used for whatever necessary.

image

And this is the end of this adventure. Switch is set to factory to defaults (and then configured as needed), I’ve been using CDP and WireShark to accomplish the task, and it was such fun! Can’t wait for the next adventure! Smile

Happy reading!