/
Windows Networking & Packet Capture

Windows Networking & Packet Capture

Some customers have a very locked down environment. This is guide is focused on prebuilt Windows only tools since we’re assuming this customer cannot download tools without significant lead time (e.g. 3 months for wireshark)

Packet Capture

The powershell equivalent to tcpdump is pktmon. The packet captures are in a .etl file format.

Setup

Finding the Network Interface Card ID

pktmon comp list

Sample Output

image-20250709-214721.png

You’ll likely see a NIC for WiFi. If the manufacturer is kind, wifi will be in the name

Filters

Reset filters

pktmon filter remove

Add a filter

You may not need this if the only thing on the NIC is the sensor (e.g. directly connected vs using a switch)

pktmon filter add -i <sensor hostname>

PCAP Conversion

There are tools to convert it to a pcap format etl2pcap

Running with Terminal Output

pktmon start -c -m rt -s 16 --comp <number>

Further Reading

https://rickardnobel.se/part-3-using-pktmon-in-a-tcpdump-like-mode/

Investigate Firewall

Ideas from Google Gemini:

5.1 A Unified Troubleshooting Workflow
The entire diagnostic procedure can be summarized into a sequential checklist. If a step resolves the issue, subsequent steps are unnecessary.

  1. Verify Application Listener: Use netstat -abno -p UDP to confirm the target application is actively listening on the correct UDP port. If not, the issue is with the application.

  2. Check Network Profile: Use Get-NetConnectionProfile in PowerShell to check the active network's profile. If it is Public for a trusted LAN, change it to Private using Set-NetConnectionProfile and re-test.

  3. Check for Third-Party Management: Open the Windows Security app. If the firewall is managed by a vendor, the native firewall is not the culprit. Proceed to temporarily disable the third-party firewall via its own interface to confirm it is the blocker. If so, configure an exception within that software.

  4. Audit Windows Firewall Block Rules: Use wf.msc or Get-NetFirewallRule -Action Block to systematically search for any explicit Block rule that could match the application, port, or protocol. Disable or delete any conflicting rules.

  5. Verify or Create an Allow Rule: Ensure a specific, enabled Allow rule exists for the application's program path, UDP protocol, and port, applied to the correct network profile.

  6. Analyze Firewall Logs: If the block persists, enable logging of dropped packets for the active profile in wf.msc. Increase the log size and use a profile-specific name. Examine pfirewall.log for DROP entries matching the traffic.

  7. Enable WFP Auditing: As a final step, enable failure auditing for "Filtering Platform Packet Drop" and "Filtering Platform Connection" using auditpol.exe.

  8. Capture and Correlate: Reproduce the block, find the corresponding Event ID 5152/5157 in the Security Event Log, and copy the Filter Run-Time ID.

  9. Find the Ground Truth: Run netsh wfp show state to generate wfpstate.xml. Search this file for the captured Filter Run-Time ID to find the exact name of the filter or rule responsible for the block.

^ This helped a customer’s IT figure out why Ouster Studio and ouster-cli won’t visualize a pointcloud