Shulou(Shulou.com)05/31 Report--

This article is about what Winshark is. Xiaobian thinks it is quite practical, so share it with everyone for reference. Let's follow Xiaobian and have a look.

Winshark

Winshark is a Wireshark plugin for controlling ETW. ETW (Event Tracing for Windows) provides a mechanism for tracing event objects created by user-layer applications and kernel-layer drivers. Provides developers with a set of fast, reliable, and versatile event tracking features. Microsoft Message Analyzer has long since become obsolete, and its download package was removed from Microsoft's website as early as November 25, 2019. Wireshark built a huge library of network protocol profilers, and Winshark was born to help researchers better collect and analyze various types of network logs.

Winshark is based on libpcap as a backend to capture ETW (Event Tracing for Windows) and provides a generator to generate all parsers for known ETW on the device. In addition, we have added Tracelogging support to cover most Windows OS logging technologies.

With the help of Winshark and the power of Windows, we can capture network and event logs in the same tool.

In terms of tool use, the birth of Winshark has important significance:

Support mixing all types of events, including network events and system events;

Support Wireshark filtering for event logs;

Support tracking network and system logs by process ID;

Support capturing Windows logs and network traces in pacp files;

Capturing named pipes via NpEtw file system filter drives;

tool mounting

Before using Winshark, install Wireshark.

Now, you need Wireshark to interpret DLT_USER 147 as ETW, because we haven't gotten the real value from libpcap before we can send a pull request to get the specific DLT value. Here, we need to open the Preferences tab in the Edit control panel, select DLT_USER under Protocols settings, then click Edit and fill out the information in the dialog box:

Next, set the etw value to DLT = 147:

tools to build

Winshark is powered by cmake, and the build configuration commands for the tool are as follows:

git clone https://github.com/airbus-cert/winshark --recursivemkdir build_winsharkcd build_winsharkcmake ..\ Winsharkcmake --build . --target package --config release Capture network traffic

To capture network traffic using Winshark, we need to activate network tracking via netsh:

netsh.exe trace start capture=yes report=no correlation=no

Next, create an ETW session bound to the Microsoft-Windows-NDIS-Packet Capture provider:

logman start Winshark-PacketCapture -p "Microsoft-Windows-NDIS-PacketCapture" -rt -ets

Then start Wireshark with administrator privileges and select the Winshark-Packet Capture interface:

Next, we can start capturing network packets:

Filtering based on process ID

ETW uses the Header of each packet to mark the packet, and the Header always contains some metadata about the sender of the data, one of which is the process ID of the sending tool. We can configure Wireshark's filtering capabilities using the following statements:

etw.header.ProcessId == 1234

Capture Named Pipe Installation

First, we need to pass drive signature detection in test mode using the following command:

bcdedit /set testsigning on

Next, install NpEtwSetup.msi and restart the device.

Then run "C:\Program Files\Wireshark\WinsharkUpdate.bat" with administrator privileges to update the Winshark parser.

named pipe snap

First, open a cmd.exe command-line window with administrator privileges, and then open the drive using the following command:

sc start NpEtw

Next, create an ETW session:

logman start namedpipe -p NpEtw -ets -rt

Now open Wireshark and select namedpipe session.

Thank you for reading! About "Winshark is a plug-in" this article is shared here, I hope the above content can be of some help to everyone, so that everyone can learn more knowledge, if you think the article is good, you can share it to let more people see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.