Wireshark – how to capture relevant data

  1. Clear ARP cache
  2. Clear NETBIOS name cache (nbtstat -R)
  3. Clear DNS resolver cache (ipconfig /flushdns)
  4. Close open sockets relating to the application in question:
    netstat -ano | find "port number"
    taskkill -PID "PID"
    then kill the process (identified by the PID column) in task manager or taskkill command:

    C:\Users\Administrator>netstat -ano | find "55060"
      TCP    127.0.0.1:55059        127.0.0.1:55060        ESTABLISHED     16176
      TCP    127.0.0.1:55060        127.0.0.1:55059        ESTABLISHED     16176
    C:\Users\Administrator>taskkill -PID 16176
    
  5. Clear the browser cache (if the issue is related to a web browser)

Exchange online – Office 365 – PowerShell

To connect via PowerShell to office365/Exchange online you need:

Pre-Requisites:

To connect to Exchange Online run:

Connect-ExchangeOnline
and when prompted enter your creds:

To verify:

Get-PSSession | fl
 

VMware – capturing network packets

There are two utilities available on ESXi host out of the box that enable us to capture network traffic:

  • tcpdump (limited only to capturing traffic from vmkernel adapters)
  • pktcap
tcpdump

To list vmkernel adapters use esxcfg-vmknic -l command

tcpdump-uw -i vmk0 -s 0 -nn -e
notes:
-s 0 – indicates that we capture the entire packet (as opposed truncated packets)
-nn – indicates that we want to use numbers instead of names for the IP addresses, and for the portnumber a number instead of the service name
-e – will list ethernet headers in addition to all other information

To filter the traffic I can list i.e. port number:
tcpdump-uw -i vmk0 -s 0 -nn -e port 80

To generate traffic on that port I could use for example
nc -z host.IP.address 80
from another host/system

To save the output to a file use -w switch
tcpdump-uw -i vmk0 -s 0 -nn -e port 80 -w /vmfs/volumes/share/capture.pcap

Then to analize it copy it to system with i.e. Wireshar and open it from within.

 

pktcap

It is used to monitor traffic that flows through physical network adapters, VMkernel adapters, and virtual machines adapters, and analyze packet information by using the graphical user interface of network analysis tools such as Wireshark.

Example:
To capture packets on a switch port
First get the switch port from esxtop (press n to get the networking view) and look at the PORT-ID column
pktcap-uw --switchport 33554433
to save the output to a file use the -o switch followed by file location/name.pcap

PowerShell – get windows 10 versions

Below script lists all Windows 10 versions that are installed on computers in Active Directory:

$win10 = get-adcomputer -filter 'OperatingSystem -like "Windows 10*"' -prop *
$win10count = ($win10 | Sort OperatingSystemVersion).count
$subject = "All Win 10 systems $win10count"
$win10_versions = $win10 | Sort OperatingSystemVersion | Select OperatingSystemVersion -unique

$result = @()
foreach ($ver in $win10_versions) {

$version = $ver.OperatingSystemVersion
$count = ($win10 | where OperatingSystemVersion -like $ver.OperatingSystemVersion | select OperatingSystemVersion | measure ).count
$result += New-Object psobject -Property @{
Win10_version = $version
Count = $Count
}
}

Send-MailMessage -From email@address.com -To email@address.com -subject $Subject -Body ($result | out-string) -smtpServer MAIL_SERVER -port 25

Example output:
.\get-Windows10_versions.ps1

Win10_version Count
------------- -----
10.0 (10240)      1
10.0 (10586)      9
10.0 (14393)     14
10.0 (15063)      4
10.0 (16299)     23
10.0 (17134)     18
10.0 (17763)     21
10.0 (18362)     35
10.0 (18363)    140
10.0 (19041)      1