Networking and Security

Capture traffic wireshark

Stuck on robocopy with errors like

System error 64 has occurred or 53?

What protocol is your system really running robocopy in?

Smb, smb1, smb2/3

https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

Even if Test-NetConnection (pshell) returns true does not mean that everything is ok, especially if you specified paloalto application like xxx-smbv3 when it is actually something else… smb1 or 2…..

Test-NetConnection -Computer ip -Port

Download

https://www.wireshark.org/

Do the following to capture the traffic:

Step1 with pshell (on the vm that runs the robocopy script):

netsh trace start persistent=yes capture=yes tracefile=C:\temp\nettrace_capture1.etl

Step2 (on the vm that runs the robocopy script):
run robocopy file or cmd or what ever

Step3 with pshell (on the vm that runs the robocopy script):

Netsh trace stop

Step4:
View the logs file for information about protocol that robocopy is trying to use, 2 or 3 or?

Make correct format for the files

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/converting-etl-files-to-pcap-files/ba-p/1133297

tool to make output file

Etl2pcapng.exe file.etl newfile.pcapng 

https://github.com/microsoft/etl2pcapng/releases

Open log with wireshark, filter on ip.addr == 8.8.8.8 (remote ip where to files is stored and to be copied from)

https://en.wikiversity.org/wiki/Wireshark/Display_filter

Filter, the first is no filter, the second is only for tcp,third udp, fourth tls, fifth ip.addr and the last is showing all filters that starts with sm, hence smb, sm2 and so on. There is a suggestion if you start to type inside there, great or what…

Scenario;

on-prem win server 2016 robocopy from local to remote az win server 2019 was ok

from az win server 2019 robocopy and fetch data from on-prem winserver 2016 was not ok due to smb3 was defined in paloalto, but wireshark detected smb2 (had a running system with application protocol any and tcp 445 used for trace) and not smb3.

Wireshark User’s Guide

Comments Off on Capture traffic wireshark