Live Response - Capturing network traffic

  REVIEWED by Sophos 

Given the ability to utilize Live Query, specifically the tables 'sophos_http_journal', 'sophos_ip_journal', 'sophos_url_journal', etc. I can see how it might be interesting to conduct a packet trace via Live Response.

When people typically think of a network trace, WireShark immediately jumps to mind but faced with a command line, although you do have a few options, what is the right tool for the job?

If Wireshark is installed on the endpoint already, you could run the following command to first list the interfaces:

&"C:\Program Files\Wireshark\tshark.exe" -D

Before starting a capture to log to file:

&"C:\Program Files\Wireshark\tshark.exe" -i 8 -w C:\wscap.pcap

This will get you a trace you can then open with Wireshark and make of it what you will.

Then there are other tools like rawcap.exe, this is a light-weight nifty command-line tool and much used before Wireshark 3 came along to capture loopback traffic.

For ease of use, however, you don't need third-party tools installed to gather a meaningful trace, there are options:

  1. netsh.exe - This has the ability to capture a network trace and there are plenty of articles on how to do so.
  2. Powershell to initiate a trace.  The rest of this braindump will focus on this method because it's possibly one you may not have used.

To start a trace, from an administrative Powershell prompt you can run the following commands:

New-NetEventSession -Name "NetCap" -CaptureMode SaveToFile -LocalFilePath "C:\nettrace.etl"
Add-NetEventPacketCaptureProvider -SessionName "NetCap" -Level 5 -CaptureType Physical
Start-NetEventSession -Name "NetCap"

Reproduce the traffic you need to observe, before running: 

Stop-NetEventSession -Name "NetCap"
Remove-NetEventSession -Name "NetCap"

This will generate you a file called C:\nettrace.etl that you can copy locally to your computer to analyze.  

To open the trace, not too long ago I would have suggested Microsoft Message Analyzer.  Sadly, this has been retired by Microsoft, so the tool that is still available, is Microsoft Network Monitor - https://www.microsoft.com/en-gb/download/confirmation.aspx?id=4865 version 3.4.  Once installed you can open the .etl file.  The first thing to do is go to Tools - Options and change under the Parser Profiles tab the Profile to Windows and click Set as active.  The trace should start to look a bit more familiar at this point.

The benefit of using a .etl trace such as this is you can link the traffic to the process. This can be seen in the "NetEvent.Header" section. This makes it possible to then filter traffic to a specific process, for example:

NetEvent.Header.ProcessId == 0x3b24

You can also use the decimal value for the PID, e.g.

NetEvent.Header.ProcessId == 15140

Other NetEvent Header values can be seen in view or you can view the Data Type Definition file if needed.

Here are a few filters to give you an idea of the syntax if you're more familiar with the filters in Wireshark:

HTTP.Request.HeaderFields.UserAgent == " Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1"
HTTP.Request.Command == "GET"
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.Extns.ClientHelloExtension.ServerNameList.ServerName == "live.sysinternals.com"
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.Extns.ClientHelloExtension.ServerNameList.ServerName != ""
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ServerHello
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ServerHello.Version

Of course, the traffic captured can be filtered at source if needed by adjusting the Powershell commands.  For example, to capture just IPV4 traffic, TCP or UDP, to and from 192.168.0.1 you could use the command to start a trace:

Add-NetEventPacketCaptureProvider -SessionName "NetCap" -Level 5 -CaptureType Physical -EtherType 0x0800 -IPAddresses 192.168.0.1 -IpProtocols 6,17

Hopefully, this is some useful reference material if you need to create a quick packet capture on Windows from the command line and it's ideal for attributing network traffic to a specific process.

Regards,
Jak