Dns Capture

Sometimes you need to do a packet capture on a Windows machine without installing anything. This is a guide on how to use the inbuilt Windows utility – netsh trace – to capture IPv4 packets. For just capturing DNS packets, capturing only UDP packets should cover most DNS traffic.

#Run this command in an elevated command prompt
netsh trace start maxSize=500 capture=yes Ethernet.Type=IPv4 Protocol=UDP report=disabled

#When you want to stop the packet capture run
netsh trace stop

For capturing all types of packets, leave out the Protocol Type:

netsh trace start maxSize=500 capture=yes Ethernet.Type=IPv4 report=disabled

Next, download etl2pcapng from Github then run the following commands to convert the .etl file to a PCAPNG.

#https://github.com/microsoft/etl2pcapng
#Convert ETL file to pcapng
.etl2pcapng.exe .NetTrace.etl nettrace.pcapng

Open the .PCAPNG file just created in Wireshark and go to File > Save As > PCAP

You now have a PCAP file that can be imported into Zeek for analysis in RITA