问题描述
如何在Windows环境中,不安装第三方软件的情况下(使用Windows内置指令),如何抓取网络包呢?并且如何转换为Wireshark 格式呢?
操作步骤
1) 以管理员模式打开CMD,使用 netsh trace start capture=yes 命令开始抓取网络包,当需要停止时候,使用 netsh trace stop 指令。
## 开始抓取
netsh trace start capture=yes ## 停止抓取 netsh trace stop ####执行结果 C:\LBWorkSpace\tool\nettrace1\newworktrace>netsh trace start capture=yes Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\Users\xxxx\AppData\Local\Temp\NetTraces\NetTrace.etl Append: Off Circular: On Max Size: 512 MB Report: Off C:\LBWorkSpace\tool\nettrace1\newworktrace>netsh trace stop Merging traces ... done Generating data collection ... done The trace file and additional troubleshooting information have been compiled as "C:\Users\xxxx\AppData\Local\Temp\NetTraces\NetTrace.cab". File location = C:\Users\xxxx\AppData\Local\Temp\NetTraces\NetTrace.etl Tracing session was successfully stopped.
如果之抓取指定IP地址的网络包,可以使用如下命令:
netsh trace start capture=yes IPv4.Address=X.X.X.X
抓取动画效果为:
2) 使用 etl2pcapng.exe 工具进行格式转换,使用命令:
etl2pcapng.exe nettrace.etl nettrace.cap
3) 双击 nettrace.cap 打开 WireShark查看网络包,使用 ip.addr == xxx.xxx.xxx.xxx 多包中的内容进行过滤
ip.addr == xxx.xxx.xxx.xxx or ip.addr == xxx.xxx.xxx.xxx
附录一:根据IP地址过滤Wireshark文件包,只导出特定的IP网络包
1)在Filter 输入框中输入过滤的IP地址: 如 ip.addr == 27.xxx.xxx.xxx
2)选择 File --> Export Specified Packets --> Save
参考资料
etl2pcapng.exe 工具下载地址:https://files.cnblogs.com/files/lulight/etl2pcapng.zip
Wireshark 下载地址:https://www.wireshark.org/#download
How can I perform a packet capture in Windows with built-in utility? https://www.sonicwall.com/support/knowledge-base/how-can-i-perform-a-packet-capture-in-windows-with-built-in-utility/170905204545360/