Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Neither capture methods working properly #6

Open
mythofechelon opened this issue Oct 1, 2022 · 1 comment
Open

Neither capture methods working properly #6

mythofechelon opened this issue Oct 1, 2022 · 1 comment

Comments

@mythofechelon
Copy link

My environment:

  • OS: Windows 10 21H2
  • Wireshark: v3.6.8 (latest as of writing) 64-bit
  • Npcap: v1.60 (latest as of writing)
  • USBPcap: Not installed
  • Winshark: v1.1.0 (latest as of writing)

My install process:

  1. Install Wireshark.
  2. Install Winshark.
  3. Open Wireshark (as administrator) and select EditPreferences...ProtocolsDLT_USEREdit...+ and, for User 0 (DLT=147), set the payload protocol to winshark (other instructions say to use etw, but Wireshark says dissector not found).

Following the instructions, what I do and see for capture method 1:

  1. Open PowerShell as administrator and run command pktmon start -c -m real-time (real-mode is stated in the Winshark documentation, but this is not a valid argument).
    2022 ∕ 10 ∕ 01 13꞉13꞉03 - New_Issue_·airbus-certWinshark-_Google_Chrome
  2. Open Wireshark as administrator and start a capture on the interface Pktmon. No network-level data is displayed, only Microsoft-Windows-PktMon:
    2022 ∕ 10 ∕ 01 13꞉14꞉31 - The_Wireshark_Network_Analyzer
    2022 ∕ 10 ∕ 01 13꞉16꞉04 - PktMon
  3. Switch to the PowerShell window and, to stop the capture, press CTRL + C.

Following the instructions, what I do and see for capture method 2:

  1. Open PowerShell as administrator and run commands netsh.exe trace start capture=yes report=no correlation=no and then logman start Winshark-PacketCapture -p "Microsoft-Windows-NDIS-PacketCapture" -rt -ets.
    2022 ∕ 10 ∕ 01 13꞉20꞉14 - New_Issue_·airbus-certWinshark-_Google_Chrome
  2. Open Wireshark as administrator and start a capture on the interface Winshark-PacketCapture. Only layer 2 network-level data is displayed.
    2022 ∕ 10 ∕ 01 13꞉22꞉33 - The_Wireshark_Network_Analyzer
    2022 ∕ 10 ∕ 01 13꞉24꞉48 - Winshark-PacketCapture
    2022 ∕ 10 ∕ 01 13꞉25꞉59 - Winshark-PacketCapture
  3. Switch to the PowerShell window and, to stop the captures, run commands netsh.exe trace stop (this one can take a little while and a lot of CPU for the data collection to complete) and then logman stop Winshark-PacketCapture -ets. (I'd like to see this included in the documentation for others.)
    2022 ∕ 10 ∕ 01 13꞉31꞉59 - New_Issue_·airbus-certWinshark-_Google_Chrome
@mgp25
Copy link

mgp25 commented Nov 25, 2022

Facing exactly the same as @mythofechelon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mgp25 @mythofechelon