Capture traffic wireshark
Stuck on robocopy with errors like
System error 64 has occurred or 53?
What protocol is your system really running robocopy in?
Smb, smb1, smb2/3
Even if Test-NetConnection (pshell) returns true does not mean that everything is ok, especially if you specified paloalto application like xxx-smbv3 when it is actually something else… smb1 or 2…..
Test-NetConnection -Computer ip -Port
Download
Do the following to capture the traffic:
Step1 with pshell (on the vm that runs the robocopy script):
netsh trace start persistent=yes capture=yes tracefile=C:\temp\nettrace_capture1.etlStep2 (on the vm that runs the robocopy script):
run robocopy file or cmd or what ever
Step3 with pshell (on the vm that runs the robocopy script):
Netsh trace stopStep4:
View the logs file for information about protocol that robocopy is trying to use, 2 or 3 or?
Make correct format for the files
tool to make output file
Etl2pcapng.exe file.etl newfile.pcapng https://github.com/microsoft/etl2pcapng/releases
Open log with wireshark, filter on ip.addr == 8.8.8.8 (remote ip where to files is stored and to be copied from)
https://en.wikiversity.org/wiki/Wireshark/Display_filter
Filter, the first is no filter, the second is only for tcp,third udp, fourth tls, fifth ip.addr and the last is showing all filters that starts with sm, hence smb, sm2 and so on. There is a suggestion if you start to type inside there, great or what…
Scenario;
on-prem win server 2016 robocopy from local to remote az win server 2019 was ok
from az win server 2019 robocopy and fetch data from on-prem winserver 2016 was not ok due to smb3 was defined in paloalto, but wireshark detected smb2 (had a running system with application protocol any and tcp 445 used for trace) and not smb3.