23 August 2013

Using WireShark on Windows Server Core or Hyper-V Server - Step-by-Step

Packet capture and analysis in real-time can be invaluable for troubleshooting certain issues.  If however you

are using an operating system flavor without a GUI you might find yourself a little stuck.  The steps below will assist you in setting up your core machine and another with a GUI to enable yo to remotely capture an analyse the data.

Stuff you will need

  • WireShark
  • Nmap
  • 7zip

On your GUI (management) computer you will need to install WireShark.  This can be downloaded and installed form http://www.wireshark.org/download.html

On the source machine you will need to install the WinPcap to allow you to capture the actual traffic.  There is just one small catch.  The version of WinPcap that is included with WireShark cannot be installed silently and a such on a core machine you are stuck.  Because of this I suggest you grab the WinPcap installer from Nmap which can be installed silently.  Download the full package from http://nmap.org/download.html

Use 7zip http://www.7-zip.org/download.html  to open the nmap-x.xx-setup.exe archive and simply copy the WinPacp executable winpcap-nmap-x.xx.exe



Installation steps
I will refer to the Windows core machine as core and the full GUI machine as the Management machine
All of these steps will be performed from the management machine.  All actions that happen on the core machine can be done through a remote PowerShell session.

Steps to be done on the core machine

  • Copy the WinPcap-Nmap.exe to the core machines's c:\install
  • Open PowerShell remote session to Source machine Enter-pssession Coremachine
  • Silently install with winpcap-nmap-4.02.exe /S


Next up you will have to create a firewall exception for this to be reachable from the management machine.
Since the initial connection is made over a named port but the actual capture data is sent using the dynamic range you have to add an all port rule.


  • netsh advfirewall firewall add rule name="Remote WinPcap" dir=in action=allow protocol=TCP localport=any remoteip=10.10.10.10  <--- IP of you management machine


To turn this rule on or off use these two commands


  • netsh advfirewall firewall set rule name="Remote WinPcap" new enable=yes
  • netsh advfirewall firewall set rule name="Remote WinPcap" new enable=no

Next up you need ot start the WinPcap process so that we can connect to it and receiver packet data


  • Navigate to C:\Program Files\WinPcap
  • To start to packet capture service use .\rpcapd.exe -p 2002 -n

Steps to be done on the management machine
Install WireShark as per normal and launch the application


  • Select Capture Options
  • Click Manage Interfaces
  • Select Local Interfaces tab and check the Hide box next to all of them
  • Select remote Interfaces tab
  • Click add button
  • For the host specify the hostname or IP Address
  • The port default is 2002 (set with the -p switch earlier)
  • Null authentication as set with the -n switch earlier
  • OK
  • You should now see a number of interfaces added
  • Click Close



On the capture option main window you will see the remote interfaces listed now they are the once showing up as rpcap://hostname:2002/

  • Capture only the interface tied to the IP you want to trace
  • Uncheck Promiscuous mode (help to clean things up)


There will be a buffer size warning but it can be ignored, and hey presto, you are capturing packets from a remote  non GUI machine.  The process from here on in is the same as you would use WireShark with local traffic capture.



Close the door and turn off the lights
Once you have completed all of your packet capture stuff you need to close things up properly again.  This is especially important in this case considering what we have just enabled.

To stop the rpcapd.exe from running you ca use:


  • get-process rpcapd | Stop-Process


To uninstall WinPcap you can use


  • C:\Program Files\WinPcap>uninstall.exe /S


Close of the firewall by turning off the rule


  • netsh advfirewall firewall set rule name="Remote WinPcap" new enable=no

Conclusion
With just a little bit of effort you can remotely capture network packet data.  If done correctly this is a great tool to use for troubleshooting.  I have used this not only on Windows Server Core but also on Hyper-V Server, where you don't even ever have the option of adding a GUI.  As long as you clean up when you are done it does not pose any significant security risks.



If you like this article you may also like this one.
http://blog.ittoby.com/2013/08/hyper-v-port-mirroring-and-network.html

1 comment:

Jeff Carrell said...

You can get winpcap from http://www.winpcap.org/

Cheers...Jeff

Post a Comment