Tag Archives: Windows Terminal Howto

Windows Terminal is a multi-tabbed terminal emulator available from Microsoft for Windows 10 and 11. Command line applications are executable in a separate tab as PowerShell, WSL, SSH, and Azure Cloud Shell Connector are preconfigured.

How to fix network problems with tcpdump in Windows

TcpDump is a free command-line utility for network traffic monitoring and evaluation. It is often used in the analysis of network problems and help for troubleshooting as well as a security tool.

tcpdump is a powerful and versatile tool that contains many options and filters and is used in a variety of cases. Since it is a command-line tool, it is ideal to run it on virtual servers or devices that operate without a graphical user interface (GUI), or even to collect data that can be analyzed later.

tcpdump is available as a BSD license and is pre-installed in the base system on most Unix operating systems such as FreeBSD and Linux. For Windows there is instead of tcpdump the port with the name WinDump which is also freely available.

This tutorial shows how to install and use WinDump on Windows 11.

Installation

WinPcap is required as a system requirement, the program library available as freeware consists of a driver that allows access to the network card. The WinPcap program library is based on the “libpcap” library known from Unix/Linux, in which the pcap interface was implemented. The network packets are intercepted and forwarded by the WinPcap modules bypassing the protocol stack.

InstallIng WinPcap

First, the WinPcap driver is downloaded and installed here.

WinPcap Installation

The WinPcap Setup Wizard guides you through the installation with three clicks, and you can accept the suggested settings. After installing WinPcap, the computer does not have to be restarted. The network interface is put into promiscuous mode by WinPcap, whereby all packets on this interface are “listened” and forwarded to the network stack, which enables evaluation as well decoding with WinDump.

Installing WinDump

After WinPcap is installed, WinDump can be downloaded here. WinDump is a command line tool that does not have to be installed, the file WinDump.exe can be copied for example under Program Files to a newly created folder WinDump , or you can copy WinDump.exe directly into the SystemRoot (C:\Windows), whereby the search path entry can be omitted.

WinDump can now be run, to open a command prompt as an administrator, by pressing the Windows key on the keyboard and clicking on Run as administrator.

Commnd Prompt Run as Administrator

With the -D option, WinDump displays a list of the network interfaces available on the system on which WinDump can listen to packets. Windows assigns a GUID to each of these network interfaces.

View WinDump -D Network Interfaces

Which GUID has which network interface? for my laptop I want to capture the packets from the WLAN adapter with WinDump.

This is where the command-line tool netsh helps to provide the information.

  If you want to capture packets from the LAN Ethernet port with cable, the DOT3SVC service must be run, if it is not started, you can execute the following command.

net start DOT3SVC

  For Wi-Fi, the Wi-Fi service must be started.

net start WLANSVC

Thus, the prerequisite is created for netsh to provide us with the desired information, with the following command in the command prompt.

  Use the netsh lan command for the LAN Ethernet port.

netsh lan show interfaces

Here on my laptop I use the WLAN network interface.

netsh wlan show interfaces

The command shows us the GUID of the WLAN network interface.

netsh wlan show interfaces

The GUID of my WLAN adapter is framed in red here. As a reminder, with the command WinDump -D the interface appears here, i.e. in line 4.

WinDump -D Network Interfaces 4

WinDump should listen to my laptop on Interface 4 (WinDump -D). With the -i option followed by \Device\NPF_{GUID}.

Run WinDump at command prompt
WinDump.exe -i "\Device\NPF_{B13697A3-3CD0-4D84-BA5D-179F708500D3}"

So far so good, the packets are displayed, then now comes the moment when flags and filters are used, so the chances increase that an error can be found at all.

TCP Flags

TCP flags are used within TCP packet transfer to announce a connection status or provide additional information in the context of the three-way handshake. They can be used to troubleshoot or control the connection. The TCP flags that are most commonly used are SYN, ACK, and FIN.

Analyze and display packets that contain one of the TCP flags, such as the TCP ACK flag here.

windump -i "\Device\NPF_{B13697A3-3CD0-4D84-BA5D-179F708500D3}" "tcp[13] & 16 != 0"

A TCP flag is 1 bit in size. The following list describes each flag in more detail.

SYN = "tcp[13] & 2 != 0"
FIN = "tcp[13] & 1 != 0"
URG = "tcp[13] & 32 != 0"
PSH = "tcp[13] & 8 != 0"
RST = "tcp[13] & 4 != 0"

In the following example, only outbound connections are to be captured. In order to capture TCP packets that are initiated on our computer, we instruct WinDump to output only those packets for which the SYN flag is set. However, we also have to exclude packages where the ACK flag is set, otherwise we will also receive the responses of the external host.

windump -i "\Device\NPF_{B13697A3-3CD0-4D84-BA5D-179F708500D3}" "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0"

The standard behavior of WinDump uses Unix timestamps. With the option -tttt, the packages appear with a human-readable timestamp.

windump -i "\Device\NPF_{B13697A3-3CD0-4D84-BA5D-179F708500D3}" -tttt -c 4 -vv

The -c 4 option limits the output to 4 packets (4 lines).
The -v option for verbose dump, -vv more verbose dump.

By default, WinDump resolves IP addresses to host names and also uses service names instead of port numbers. If no DNS is available, or you simply want to have the port number, the -n option can be used.

WinDump Filter Expressions

Use filter to select which packet headers to output. If no filters are applied, all packet headers are output. Commonly used filters are port, host, src, dst, tcp, udp, icmp.

windump -i "\Device\NPF_{B13697A3-3CD0-4D84-BA5D-179F708500D3}" -n "udp port 53 or tcp port 53"

The filter is applied to udp port 53 and tcp port 53, so only DNS packets are output.

Filter expressions can be combined with the AND, OR, and NOT operators. In this way, packets can be isolated more precisely.

windump -i "\Device\NPF_{B13697A3-3CD0-4D84-BA5D-179F708500D3}" "src 10.10.10.11 and dst port 22"

In the next example, output all packets except tcp packets.

windump -i "\Device\NPF_{B13697A3-3CD0-4D84-BA5D-179F708500D3}" "not tcp"

The output of WinDump can scroll very quickly across the screen, but the package headers can be saved to a file with the -w option. The files are saved in pcap format and have a .pcap extension. The pcap files stored in this way can e.g. in Wireshark to decoded again later.

windump -i "\Device\NPF_{B13697A3-3CD0-4D84-BA5D-179F708500D3}" -n -c 20 -w dump.pcap

The command saves 20 output lines to the icmp.pcap file.

Help and version information is available with run -help.

C:\>windump -help
windump version 3.9.5, based on tcpdump version 3.9.5
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)
Usage: windump [-aAdDeflLnNOpqRStuUvxX] [ -B size ] [-c count] [ -C file_size ]
                [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -Z user ]
                [ expression ]

Conclusion

WinDump is easy to set up, once you are familiar with the various flags and filters after a few attempts, network problems can be solved quickly, and the security in the network can be checked and optimized.

Issue Self-Signed Certificate for internal Website

Privacy error your connection isn’t private

Privacy error your connection isn't private

This error page can be seen in the browser when an https page is visited, often these are internal web-sites of devices in your own network, or because you have your own web server in your network, in order to develop web-sites or web-apps in the lab, certificates are required for SSL-encrypted web-sites. However, you may do not want to have the certificate created by a trusted Certificate Authority (CA) issuer, which brings unnecessary costs, except for a Let’s Encrypt certificate, which is free, but the web server for the Automatic Certificate Management Environment (ACME) check must be reachable from the internet, here it is sufficient to issue a self-signed certificate.

How to creating Self-Signed Certificates

Creating a self-signed certificate automated with import them to the Windows Certificate Store of the local computer. It prompts for a Common Name to create the self-signed certificate according to the URL.

$CommonName=Read-Host -Prompt 'Enter a Common Name (CN)'
if ($CommonName) {
	Write-Output "Self-Signed Certificate [$CommonName] processing.."
} else {
	Write-Warning -Message "Missing Common Name (CN)!"
	Break;
}
New-SelfSignedCertificate -DnsName "$CommonName" -CertStoreLocation "cert:\LocalMachine\My"
$pass=ConvertTo-SecureString "pass123" -AsPlainText -force
$file="$env:temp\$CommonName.pfx"
$thumbprint=Get-ChildItem -Path Cert:\LocalMachine\MY | Where-Object {$_.Subject -Match "$CommonName"} | Select-Object Thumbprint -ExpandProperty "Thumbprint"
Export-PFXCertificate -cert cert:\LocalMachine\My\"$thumbprint" -file $file -Password $pass
Import-PfxCertificate -FilePath $file cert:\LocalMachine\root -Password $pass

Run this commands in a PowerShell opened as administrator. The certificate you just issued can now be found in the Certificate Manager (CERTLM.MSC) Microsoft Management Console (mmc) under Trusted Root Certification Authorities and in Personal certificates.

Note. Set the PowerShell Execution Policy from Restricted to RemoteSigned or Unrestricted to allow local PowerShell scripts to run.

PS C:\> Set-ExecutionPolicy RemoteSigned

Configuring SSL with the IIS PowerShell Snap-in

The acquisition of certificates is not a simple matter and cannot be made without an issuer. The users of your web-site have to trust the certificate and that’s why you have to get it from a trusted Certificate Authority. For testing purposes you can deploy your own certificate however. For this walkthrough we will use a so-called self-signed certificate.

Now lets use the IIS PowerShell Snap-in to create an SSL binding and associate it with the certificate we just created.

How to creating an SSL Binding

We are adding the SSL binding to the Default Web Site using one of the task-based cmdlets called New-WebBinding. First you need to import the WebAdministration module gained when installing the Web-Server Windows feature.

PS C:\> Import-Module WebAdministration
PS IIS:\> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

You can check the binding collection using the following command.

PS IIS:\> Get-WebBinding 'Default Web Site'

Assign the Certificate to IP:Port of the IIS Binding

You can CD into the IIS:\SslBindings directory and query the existing SSL bindings. The directory will be empty on an IIS default install.

PS IIS:\> cd IIS:\SslBindings
PS IIS:\SslBindings> gci

Now you can use the certificate thumbprint we got in the previous step to associate it with all IP addresses (0.0.0.0) and the SSL port 443.

PS IIS:\SslBindings> get-item cert:\LocalMachine\MY\"$thumbprint" | new-item 0.0.0.0!443

The previous command displaying the following SSL Binding.

IP Address       Port Store            Sites
----------       ---- -----            -----
0.0.0.0          443  My               Default Web Site

SSL is ready to go now and you can browse to your site by entering.

https://localhost