Tag Archive: wireshark

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/

  1. Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development)
  2. Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download
  3. Netsh Trace – built-in to operating system
  4. Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226

Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx

How to message analyzer on YouTube: https://www.youtube.com/watch?v=e0v0RsQVdT8

As you might guess from the name, Message Analyzer is much more than a network sniffer or packet tracing tool.  Key capabilities include:

  • Integrated “live” event and message capture at various system levels and endpoints (client and server remotely !)
  • Remote capture (capture multiple point concurrently)
  • Parsing and validation of protocol messages and sequences
  • Automatic parsing of event messages described by ETW manifests
  • Summarized grid display – top level is  “operations”, (requests matched with responses)
  • User controlled “on the fly” grouping by message attributes
  • Ability to browse for logs of different types (.cap, .etl, .txt) and import them together
  • Automatic re-assembly and ability to render payloads
  • Ability to import text logs, parsing them into key element/value pairs
  • Support for “Trace Scenarios” (one or more message providers, filters, and views)

Other articles:

Use message analyzer to convert a .etl to .cap: https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/analyze-netsh-traces-with-wireshark-or-network-monitor/


Capture a network trace using netsh:



  1. To learn more about your nmcap options, enter “nmcap /?” or “nmcap /examples”
  2. Wireshark training can be found at https://www.wireshark.org/#learnWS.
  3. For more information on Message Analyzer, check out the blog at https://blogs.technet.microsoft.com/messageanalyzer/.
  4. Message Analyzer training videos can be found at https://www.youtube.com/playlist?list=PLszrKxVJQz5Uwi90w9j4sQorZosTYgDO4.
  5. Message Analyzer Operating Guide – https://technet.microsoft.com/en-us/library/jj649776.aspx
  6. Information on the Message Analyzer PowerShell module can be found at https://technet.microsoft.com/en-us/library/dn456518(v=wps.630).aspx.
  7. Remote captures with MMA – https://blogs.technet.microsoft.com/messageanalyzer/2013/10/17/remote-capture-with-message-analyzer-and-windows-8-1/

Hi folks, here are web resources to implement and  troubleshoot MS DFS and MS DFS-R:

DFS Replication in Windows Server 2012 R2 : http://blogs.technet.com/b/filecab/archive/2013/08/20/dfs-replication-in-windows-server-2012-r2-if-you-only-knew-the-power-of-the-dark-shell.aspx

DFS Replication Initial Sync in Windows Server 2012 R2: http://blogs.technet.com/b/filecab/archive/2013/08/21/dfs-replication-initial-sync-in-windows-server-2012-r2-attack-of-the-clones.aspx

DFS Replication in Windows Server 2012 R2: Restoring Conflicted, Deleted and PreExisting files with Windows PowerShell: http://blogs.technet.com/b/filecab/archive/2013/08/23/dfs-replication-in-windows-server-2012-r2-restoring-conflicted-deleted-and-preexisting-files-with-windows-powershell.aspx

Understanding DFS (how it works):


=> Several mechanisn are used: routing, DNS, AD sites and subnets topology, WINS,  FW ports and rules shoud be open (RPC, SMB…):

NetBIOS Name Service:  Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 137

NetBIOS Datagram Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/138

NetBIOS Session Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/139

LDAP Server: Domain controllers TCP/UDP 389

Remote Procedure Call (RPC) endpoint mapper: Domain controllers TCP/135

Server Message Block (SMB): Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 445

Extract from the MS technet: “When a client requests a referral from a domain controller, the DFS service on the domain controller uses the site information defined in Active Directory (through the DSAddressToSiteNames API) to determine the site of the client, based on the client s IP address. DFS stores this information in the client site cache”
“DFS clients store root referrals and link referrals in the referral cache (also called the PKT cache). These referrals allow clients to access the root and links within a namespace. You can view the contents of the referral cache by using Dfsutil.exe with the /pktinfo “
“You can view the domain cache on a client computer by using the Dfsutil.exe command-line tool with the /spcinfo parameter”

Implementing DFS-R: http://technet.microsoft.com/en-us/library/cc770925.aspx AND DFS-R FAQ: http://technet.microsoft.com/en-us/library/cc773238.aspx, delegate DFS-R permissions: http://technet.microsoft.com/en-us/library/cc771465.aspx

DFS-R limits:

The following list provides a set of scalability guidelines that have been tested by Microsoft on Windows Server 2012 R2:
• Size of all replicated files on a server: 100 terabytes.
• Number of replicated files on a volume: 70 million.
• Maximum file size: 250 gigabytes.

The following list provides a set of scalability guidelines that have been tested by Microsoft on Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008:
• Size of all replicated files on a server: 10 terabytes.
• Number of replicated files on a volume: 11 million.
• Maximum file size: 64 gigabytes

Implementing DFS Namespace: http://technet.microsoft.com/en-us/library/cc730736.aspx AND DFS-N FAQ: http://technet.microsoft.com/fr-fr/library/ee404780(v=ws.10).aspx

Consolidation of multiple DFS namespaces in a single one : http://blogs.technet.com/b/askds/archive/2013/02/06/distributed-file-system-consolidation-of-a-standalone-namespace-to-a-domain-based-namespace.aspx

Netmon trace digest: http://blogs.technet.com/b/josebda/archive/2009/04/15/understanding-windows-server-2008-dfs-n-by-analyzing-network-traces.aspx

SMB and Wireshark: https://thebackroomtech.com/2019/05/22/using-wireshark-to-sniff-an-smb-transmission/

DFS and Wireshark: https://www.youtube.com/watch?v=9sLUVQPriOk

DFS 2008 step by step: http://technet.microsoft.com/en-us/library/cc732863(WS.10).aspx

DFS tuning and troubleshooting:

How to troubleshoot Distributed File System Namespace access failures in Windows: https://support.microsoft.com/en-au/help/975440/how-to-troubleshoot-distributed-file-system-namespace-access-failures

FS-N et DFS-R en ligne de commande: http://blogcastrepository.com/blogs/benoits/archive/2009/08/22/dfs-n-et-dfs-r-en-ligne-de-commande.aspx

DFSR les commandes les plus utiles: http://www.monbloginfo.com/2011/03/02/dfsr-les-commandes-les-plus-utiles/

and http://blogs.technet.com/b/filecab/archive/2009/05/28/dfsrdiag-exe-replicationstate-what-s-dfsr-up-to.aspx

Tuning DFS: http://technet.microsoft.com/en-us/library/cc771083.aspx and Tuning DFS Replication performance : http://blogs.technet.com/b/askds/archive/2010/03/31/tuning-replication-performance-in-dfsr-especially-on-win2008-r2.aspx

DFSutil command line:  http://technet.microsoft.com/fr-fr/library/cc776211(v=ws.10).aspx AND http://technet.microsoft.com/en-us/library/cc779494(v=ws.10).aspx and https://technet.microsoft.com/en-us/library/cc776211%28WS.10%29.aspx

Performance tuning guidelines for Windows 2008 R2: http://msdn.microsoft.com/en-us/windows/hardware/gg463392.aspx


DFSRMon utility: http://blogs.technet.com/b/domaineetsecurite/archive/2010/04/14/surveillez-en-temps-r-el-la-r-plication-dfsr-gr-ce-dfsrmon.aspx

or  DfsrAdmin.exe in conjunction with Scheduled Tasks to regularly generate health reports: http://go.microsoft.com/fwlink/?LinkId=74010

Server side:

DFS: some notions: A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user accesses a namespace root or folder with targets. After the client receives the referral, the client attempts to access the first target in the list. If the target is not available, the client attempts to access the next target.

tip1) dfsutil domain : Displays all namespaces in the domain ; dfsutil /domain:mydomain.local /view

tip2) You can check the size of an existing DFS namespace by using the following syntax in Dfsutil.exe:

dfsutil /root:\\mydomain.local\rootname /view (for domain-based DFS)
dfsutil /root:\\dfsserver\rootname /view (for stand-alone DFS)

tip3) Enabling the insite setting of a DFS server is useful when: You don’t want the DFS clients to connect outside the site.
You don’t want the DFS client to connect to a site other than the site it is in, and hence avoid using expensive WAN links.
dfsutil /insite:\\mydomain.local\dfsroot /enable

tip4) You want DFS clients to be able to connect outside the internal site, but you want clients to connect to the closest site first, saving the expensive network bandwidth:

ex: dfsutil /root:\\mydomain.local\sales /sitecosting /view or /enable or /disable

If you do not know if a root is site costing aware, you can check its status by substituting the /display parameter for the /sitecosting parameter.

tip5) Enable root scalability mode: You enable root scalability mode by using the /RootScalability parameter in Dfsutil.exe, which you can install from the \Support\Tools folder on the Windows Server 2003 operating system CD. When root scalability mode is enabled,  DFS root servers get updates from the closest domain controller instead of the server acting as the PDC emulator master.
As a result, root scalability mode reduces network traffic to the PDC emulator master at the expense of faster updates  to all root servers. (When you make changes to the namespace, the changes are still made on the PDC emulator master,  but the root servers no longer poll the PDC emulator master hourly for those changes; instead, they poll the closest domain controller.)
With this mode enabled, you can have as many root targets as you need, as long as the size of the DFS Active Directory object (for each root)  is less than 5 MB. Do not use root scalability mode if any of the following conditions exist in your organization:Your namespace changes frequently, and users cannot tolerate having inconsistent views of the namespace.  Domain controller replication is slow. This increases the amount of time it takes for the PDC emulator master  to replicate DFS changes to other domain controllers, which, in turn, replicate changes to the root servers.  Until this replication completes, the namespace will be inconsistent on all root servers.

ex: dfsutil /root:\\mydomain.local\sales /rootscalability /view or /enable or /disable

tip6) Dfsdiag utility: http://blogs.technet.com/b/filecab/archive/2008/10/24/what-does-dfsdiag-do.aspx

/testdcs: With this you can check the configuration of the domain controllers. It performs the following tests:

  • Verifies that the DFS Namespace service is running on all the DCs and its Startup Type is set to Automatic.
  • Check for the support of site-costed referrals for NETLOGON and SYSVOL.
  • Verify the consistency of site association by hostname and IP address on each DC.

To run this command against your domain mydomain.local just type:

DFSDiag /testdcs /domain:mydomain.local

DFSDiag /testdcs > dfsdiag_testdcs.txt

/testsites: Used to check the configuration of Active Directory Domain Services (AD DS) sites by verifying that servers that act as namespace servers or folder (link) targets have the same site associations on all domain controllers.

So for a machine you will be running something like: DFSDiag /testsites /machine:MyDFSServer

For a folder (link): DFSDiag /testsites /dfspath:\\mydomain.local\MyNamespace\MyLink /full

For a root: DFSDiag /testsites /dfspath:\\mydomain.local\MyNamespace /recurse /full

/testdfsconfig:  With this you can check the DFS namespace configuration. The tests that perform are:

  • Verifies that the DFS Namespace service is running and that its Startup Type is set to Automatic on all namespace servers.
  • Verifies that the DFS registry configuration is consistent among namespace servers.
  • Validates the following dependencies on clustered namespace servers that are running Windows 2008 (non supported for W2K3 clusters L):
    • Namespace root resource dependency on network name resource.
    • Network name resource dependency on IP address resource.
    • Namespace root resource dependency on physical disk resource.

To run this you just need to type:  DFSDiag /testdfsconfig /dfsroot:\\mydomain.local\MyNamespace

/testdfsintegrity: Used to check the namespace integrity. The tests performed are:

  • Checks for DFS metadata corruption or inconsistencies between domain controllers
  • In Windows 2008 server, validates that the Access Based Enumeration state is consistent between DFS metadata and the namespace server share.
  • Detect overlapping DFS folders (links), duplicate folders and folders with overlapping folder targets (link targets).

To check the integrity of your domain mydomain.local:

DFSDiag /testdfsintegrity /dfsroot:\\mydomain.local\MyNamespace

DFSDiag.exe /testdfsintegrity /dfsroot:\\mydomain.local\MyNamespace /recurse /full > dfsdiag_testdfsintegrity.txt

Additionally you can specify /full, /recurse, which in this case, /full verifies the consistency of share and NTFS ACLs in all the folder targets. It also verifies that the Online property is set in all the folder targets. /recurse performs the testing including the namespace interlinks.

/testreferral: Perform specific tests, depending on the type of referral being used.

  • For Trusted Domain referrals, validates that the referral list includes all trusted domains.
  • For Domain referrals, perform a DC health check as in /testdcs
  • For Sysvol and Netlogon referrals perform the validation for Domain referrals and that it’s TTL has the default value (900s).
  • For namespace root referrals, perform the validation for Domain referrals, a DFS configuration check (as in /testdfsconfig) and a Namespace integrity check (as in /testdfsintegrity).
  • For DFS folder referrals, in addition to performing the same health checks as when you specify a namesapace root, this command validates the site configuration for folder target (DFSDiag /testsites) and validates the site association of the local host

Again for your namespace mydomain.local:

DFSDiag /testreferral /dfspath:\\mydomain.local\MyNamespace

DFSDiag.exe /testreferral /dfspath:\\mydomain.local\MyNamespace /full > dfsdiag_testreferral.txt

There is also the option to use /full as an optional parameter, but this only applies to Domain and Root referrals. In these cases /full verifies the consistency of site association information between the registry and Active Directory.

Domain controllers:

Evaluate domain controller health, site configurations, FSMO ownerships, and connectivity:

Use Dcdiag.exe to check if domain controllers are functional. Review this for comprehensive details about dcdiag:

    Dcdiag /v /f:Dcdiag_verbose_output.txt

    Dcdiag /v /test:dns /f:DCDiag_DNS_output.txt

    Dcdiag /v /test:topology /f:DCDiag_Topology_output.txt

Active Directory replication

If DCDiag finds any replication failures and you need additional details about them, Ned wrote an excellent article a while back that covers how to use the Repadmin.exe utility to validate the replication health of domain controllers:

    Repadmin /replsummary * > repadmin_replsummary.txt

    Repadmin /showrepl * > repadmin_showrepl.txt

Always validate the health of the environment prior to utilizing a namespace.


  • dfsutil /root:\\mydomain.local\myroot /view /verbose    ; display the content of root dfs (links…)
  • dfsutil /pktinfo     ;to display the client cache
  • dfsutil /spcinfo     ; the domain cache on a client computer
  • dfsutil /purgemupcache ; cache stores information about which redirector, such as DFS, SMB, or WebDAV, is required for each UNC path
  • dfsutil /pktflush   ; Dfsutil /PktFlush is a special problem repair command that should only be executed on the client.
  • dfsutil cache referral flush   ; to flush the client cache
  • dfsdiag /testdfsintegrity /dfsroot:\\mydomain.local\dfsroot /recurse /full > dfsdiag_testdfsintegrity.txt   ; to test root dfs from local client
  • dfsutil client siteinfo <ip> ; to display the remote client AD client site
  • dfsutil /sitename:<ip address>  or nltest /dsgetsite ; to display the local AD client site
  • To display a target dfs (primary/active) from cmd line: dfsutil client property state \\mydomain.local\dfsroot\dfsfolder1
  • To change a target dfs (primary/active) from cmd line: dfsutil client property state active \\mydomain.local\dfsroot\dfsfolder1 \\server.mydomain2.net\share  ; but you need a special hotfix for win7/2008r2 clients: http://support.microsoft.com/kb/2783031/en-us
  • Understanding: DFS override referral ordering: http://blogs.technet.com/b/askds/archive/2011/10/27/dfs-override-referral-ordering-messing-with-the-natural-order.aspx

Dfsutil examples: https://technet.microsoft.com/en-us/library/cc776211%28WS.10%29.aspx


Netsh command reference:




Using Netsh to redirect a port to another computer:


How to create a wifi hotspot with netsh:


Using netsh with DHCP:


Using netsh to capture traffic:


Capture a NETSH network trace

a) Open an elevated command prompt and run: “netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl” (make sure you have a \temp directory or choose another location).

b) Log on and stop the trace using: “netsh trace stop” (from an elevated prompt).

c) Open the .etl with Network monitor or Message Analyzer  (allows you to choose .etl as a file to open) and save as .cap to be analyzed in detail with Wireshark if you prefer: https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/analyze-netsh-traces-with-wireshark-or-network-monitor/




Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/

Netmon versus Message Analyzer. Netmon is well-known tool used by IT peoples to troubleshoot problems daily.

Netmon capture Net frames, Net frame: contain header and payload

TCP basics:

Tcp session establishment:

clt: TCP syn –> srv    then    srv: Syn-Ack –>clt    then    clt: Ack –> srv

Gracefull closure:

clt: Fin –> srv       then       srv: Fin-Ack –>clt

srv: Fin –> clt       then       clt: Fin-Ack –> srv

Forced closure (fermeture brutale):

clt: tcp reset –> srv       THEN      srv: tcp reset –> clt

Notion de fenetre TCP (ou TCP RWIN): le client informe le serveur de la quantite de donnees a envoyer/recevoir. Il y a des BUFFER au niveau applicatif, au niveau de la carte reseau et du protocole TCP. Grosso modo, les pacquets sont decoupes en blocs et stockes d’abord du buffer de l’appl, et par la suite dans le buffer TCP. Il y a un Send Buffer TCP et un Receive Buffer TCP.

The TCP protocol calcule la taille de RWIN. Since Windows vista, the TCP buffer size can be adjusted (Windows scaling) par multiplication of de buffer 65535 – can be modified using NETSH !

The last netmon version is v3.4. At Microsoft, the evolution of netmon is Message Analyzer.

Netmon 3.4 download: http://www.microsoft.com/en-us/download/details.aspx?id=4865

Message Analyzer download: http://www.microsoft.com/en-us/download/details.aspx?id=40308

For netmon, there are addins: downloadable at http://nmexperts.codeplex.com/

NMDECRYPT : http://nmdecrypt.codeplex.com/

TCP Analyzer : http://research.microsoft.com/en-us/projects/tcpanalyzer/

TOP USERS : http://nmtopusers.codeplex.com/

TOP PROTOCOLS : http://nmtopprotocols.codeplex.com/

NMSimpleSearch : http://archive.msdn.microsoft.com/NmSimpleSearch

Visual Round Trip Analyzer : http://www.microsoft.com/en-us/download/details.aspx?id=21462

I come back to Netmon,

Netmon uses a capture drive called nmcap

Netmon uses by default a “Parser profile = default”, if your want more details about application protocoles swith to “parser profile = Windows”

Use “color rules”

Add colums: “Time offset”, “Destination port”, “Source port”

Use “filters”:

Adresses and ports :
IPv4.Address ==
IPv4.SourceAddress ==
IPv4.DestinationAddress ==
TCP.PORT == 3389
IPv4.address == AND Tcp.port!=3389          ; en clair affiche moi le traffic ou apparait l’IP mais pas TCP3389 (bruit du à RDP)

To find text:
ContainsBin(FrameData, ASCII, “SavillText”)

Analyzing SMB or SMB2: http://www.snia.org/sites/default/files2/sdc_archives/2009_presentations/wednesday/PaulLong_TShootSMBwithNM3-rev.pdf

Exclusions :
! (RDP)
! (ipv4.address ==
! (tcp.port == 3389)

Operators :

“Intellisense” :
TCP. (…)

TCP.Property.tcpRetransmits == 1
TCP.Flags.SYN == 1
TCP.Flags.RESET == 1

Right click : “Add to Display Filter”

Protocole filters:

Response time:

In order to filter on the difference in time, you can use FrameVariable.TimeDelta property. This value represents the time from the last physical frame in the trace. One side effect of this is that you can’t filter the time delta that results between two filtered frames or two frames in a specific conversation. Leading to perhaps more confusion, the time delta column you see is updated based on the filtered information.

The following filter will find any frame with a time delta greater than 1 second: FrameVariable.TimeDelta > 10000000