windows 上命令行做 tcpdump

平时生成机器都是 Linux, 但是有时候也会碰到 Windows. 在桌面环境下使用 wireshark 非常方便, 可是有些 prod 机器很难装 wireshark, 因为各种网络限制. 不过还是可以通过一些命令行工具做出 tcpdump. 这里就介绍如何使用 WinPcap & WinDump 做出 tcpdump. 并且使用 windows 剪贴板从本地复制到生产环境.

  1. 下载并验证:
    Download WinPcap from official site and verify the checksum;
    WinPcap → (a software WinDump needs)
    WinDump →
    Verify the check sum: (see above link for latest checksum)
    command: certUtil -hashfile xxx.exe md5|sha1

  2. 转换二进制成可打印文本
    Convert to print text version;
    use this command, you can convert binary to print text:
    certutil -encode xxx.exe xxx.txt

  3. 使用剪贴板复制到远程机器
    Copy to remote windows with OS Copy/Paste clipboard;
    just open the text file and copy the content, and create a new text on remote prod box, and paste in it, then save it;

  4. 转换可打印文本成二进制
    Convert the text to exe;
    use this command, you can convert text to binary:
    certutil -decode xxx.txt xxx.exe

  5. 一步步安装 WinPcap, WinDump.exe 直接使用, 无需安装
    Install the WinPcap.exe follow the insturctions after click. No need to install the WinDump.exe, just run it.

  6. 捕获 tcpdump
    here the dmp.exe is the WinDump.exe, I just give it name as dmp.exe.
    the command like: WinDump.exe -w dump.cap -s 1600 ip host ### -w: which file to store data, -s: how long to save for a package, default only 64, only header part.

标签: none