Showing results for 
Show  only  | Search instead for 
Did you mean: 
Engaged Sweeper III
Ok guys. I have to say im quite happy about this one... Im in an environment were I have to troubleshoot clients and servers and go hunting for viruses and spam bots from time to time. so this is a must in my environment. I figure I'm not the only one. This remote packet capture is processes is crude and definitely can use some tweaking if anyone is up for it...

Files that will need to be placed in your actionpath

1. psexec (this will be used to run remote commands on the desired computer)
2. pskill (this will be used to kill a process on a remote computer.)
3. tcpdump.exe (this is the same windows tcpdump version that I used for my port mapping CA)
4. wireshark (this will need to be the portable version get it HERE

like i stated you will need two custom actions to make this work for now.

Part 1
here is the first custom action i called it packetsniff step 1

cmd.exe /K "{actionpath}psexec.exe \\{ipaddress} -c -f {actionpath}tcpdump.exe -i 3 -w \\server\c$\packetsniff_{ipaddress}.pcap

(NOTE: Here is what is happening we are accessing the desired computer with psexec then we are coping and running tcpdump on the remote computer. note -i 3 is stating that we are capturing on interface (-i) number 3 which in my environment is there Ethernet port. This might differ in your environment. run tcpdump -D to list interfaces if my above command doesnt work. the -w (Write)trigger writes the tcpdump to a file this can be to any server or computer that you as an administrator have accesses to.. Note: psexec doesnt allow you to exit this processes. IF anyone knows how to get the tcpdump to exit let me know... and we can then make this a single custom action.

Part 2
here is the first custom action i called it packetsniff step 2

cmd.exe /K "{actionpath}psexec.exe \\{ipaddress} {actionpath}\SysinternalsSuite\pskill.exe -t tcpdump.exe & {actionpath}\WiresharkPortable\WiresharkPortable.exe -r \\server\c$\packetsniff_{ipaddress}.pcap

(NOTE: You will only want to run step 2 if you are done capturing packets for that computer as running step 2 will kill the tcpdump process on the remote computer. the first part runs pskill. this is to kill the tcpdump process you can take the pskill part out of this CA if you want to have continues packet capture within wireshark. You will need to kill this processes after you are done as it will continue to write to the log file. the last part will run wireshark from the actionpath as seen above. note you might receive a few errors during this start up. it might ask you to install winpcap you can just cancel that. it might also say cant read some packets because we killed the tcpdump processes but all in all it will work like a charm.

I hope you all like this one i know i do. feel free to like a comment on how we might be able to streamline this a little better or just leave some thanks.

Engaged Sweeper III
here is a modified version this will capture 500 packets and then open wireshar. also you can keep the two actions one to run tcpdump for like 10000 packets and then run second action to start wireshark. will will allow you to monitor in semi real-time press ctl+r to refresh wireshark...

cmd.exe /K "{actionpath}psexec.exe \\{ipaddress} -c -f {actionpath}tcpdump.exe -i 3 -c 500 -w \\server\c$\packetsniff_{ipaddress}.pcap & {actionpath}\WiresharkPortable\WiresharkPortable.exe -r \\server\c$\packetsniff_{ipaddress}.pcap & exit