windows 上命令行做 tcpdump
平时生成机器都是 Linux, 但是有时候也会碰到 Windows. 在桌面环境下使用 wireshark 非常方便, 可是有些 prod 机器很难装 wireshark, 因为各种网络限制. 不过还是可以通过一些命令行工具做出 tcpdump. 这里就介绍如何使用 WinPcap & WinDump 做出 tcpdump. 并且使用 windows 剪贴板从本地复制到生产环境.
- 下载并验证:
Download WinPcap from official site and verify the checksum;
WinPcap → https://www.winpcap.org/install/default.htm (a software WinDump needs)
WinDump → https://www.winpcap.org/windump/install/default.htm
Verify the check sum: (see above link for latest checksum)
command:certUtil -hashfile xxx.exe md5|sha1
- 转换二进制成可打印文本
Convert to print text version;
use this command, you can convert binary to print text:certutil -encode xxx.exe xxx.txt
- 使用剪贴板复制到远程机器
Copy to remote windows with OS Copy/Paste clipboard;
just open the text file and copy the content, and create a new text on remote prod box, and paste in it, then save it; - 转换可打印文本成二进制
Convert the text to exe;
use this command, you can convert text to binary:certutil -decode xxx.txt xxx.exe
- 一步步安装 WinPcap, WinDump.exe 直接使用, 无需安装
Install the WinPcap.exe follow the insturctions after click. No need to install the WinDump.exe, just run it. - 捕获 tcpdump
here the dmp.exe is the WinDump.exe, I just give it name as dmp.exe.
the command like:WinDump.exe -w dump.cap -s 1600 ip host 10.10.10.10
### -w: which file to store data, -s: how long to save for a package, default only 64, only header part.