Capturing Windows user logon traffic
I don't need to go into many details about the startup process and importance of analysing it in case of problems. Here's how I do it:
Install the tools accepting all defaults (you should always go with defaults unless you have really good reasons not to - and security through obscurity is not one). Follow the Resource kit documentation to install Autoexnt service, use interactive option.
The most important information that is not in the network traffic capture is the process map - the information that allows to identify what processes are making connections.
I'm using c:\tmp folder for the captures and other files. This is the autoexnt.cmd file:
move c:\tmp\capture.cap c:\tmp\captureX.cap
move c:\tmp\capturelog.txt c:\tmp\capturelogX.txt
start /D"C:\Program Files\Wireshark\" tshark.exe -i 2 -w c:\tmp\capture.cap
cscript //Nologo c:\tmp\now.vbs >> c:\tmp\capturelog.txt
netstat -ano >> c:\tmp\capturelog.txt
pslist >> c:\tmp\capturelog.txt
In the tshark command line options, the interface number (the -i option) may be different on your system - use "tshark -D" to list interfaces on your system. I found that in some cases tshark has visibility of all interfaces on the system whereas Wireshark GUI doesn't let you choose the right interface. Now.vbs prints current time with seconds. The whole script is:
After rebooting the computer and the user logon there will be two windows on the screen - cmd.exe and tshark.exe. Close both -you'll find the traffic capture in the c:\tmp\capture.cap and process/connection lists in c:\tmp\capturelog.txt. That's enough information to do analysis.
The beauty of the approach is that no hubs or switches are involved, and all of it can be done remotely. Evidently, both scripts and the approach can be improved in many ways. Suggestions welcome.