newspaint

Documenting Problems That Were Difficult To Find The Answer To

Category Archives: Microsoft

Wireshark Showing Wrong Timezone/Times for Packets

If you find yourself wondering why Wireshark seems to be displaying the wrong time for packets – it could be something as simple as having configured the display timezone incorrectly.

If the timestamps appear to be for the wrong timezone...

If the timestamps appear to be for the wrong timezone…

 

Right click the column header “Time” and choose Column Preferences…

Right click on the Time column header and choose Column Preferences...

Right click on the Time column header and choose Column Preferences…

 

Next double click (using left mouse button) on the “Type” field to bring up a drop down list of options.

Double click on the Type field for the Time row

Double click on the Type field for the Time row

 

From the drop down list choose “Time (format as specified)”. If this was set to something different (e.g. “UTC time”) then this could explain why you saw a different date/time in the packet capture display.

Choose "Time (format as specified)" from the drop down list

Choose “Time (format as specified)” from the drop down list

Introduction to Packet Capture on Microsoft Windows for Later Analysis with Wireshark

Windows versions 7 and above come with the netsh trace command which can be used to take packet captures – however these captures are incompatible with Wireshark. Such captures can be converted into a basic format that can be read with Wireshark using the Microsoft Message Analyzer that Microsoft makes freely available (a 68MB download).

The process is typically:

  • netsh trace show – get information useful to use when specifying the trace
  • netsh trace start – begin a trace specifying filters to use
  • netsh trace stop – end the trace and create the capture file

You can get information for the netsh trace show command:

C:\> netsh trace show /?

The following commands are available:

Commands in this context:
show CaptureFilterHelp - List supported capture filters and usage.
show globalKeywordsAndLevels - List global keywords and levels.
show helperclass - Show helper class information.
show interfaces - List available interfaces.
show provider  - Shows provider information.
show providers - Shows available providers.
show scenario  - Shows scenario information.
show scenarios - Shows available scenarios.
show status    - Shows tracing configuration.

The most useful of these is netsh trace show CaptureFilterHelp as follows:

  Capture Filters:
        Capture filters are only supported when capture is explicitly
        enabled with capture=yes. Supported capture filters are:

        CaptureInterface=<interface name or GUID>
         Enables packet capture for the specified interface name or GUID. Use
         'netsh trace show interfaces' to list available interfaces.
        e.g. CaptureInterface={716A7812-4AEE-4545-9D00-C10EFD223551}
        e.g. CaptureInterface=!{716A7812-4AEE-4545-9D00-C10EFD223551}
        e.g. CaptureInterface="Local Area Connection"

        Ethernet.Address=<MAC address>
         Matches the specified filter against both source and destination
         MAC addresses.
        e.g. Ethernet.Address=00-0D-56-1F-73-64

        Ethernet.SourceAddress=<MAC address>
         Matches the specified filter against source MAC addresses.
        e.g. Ethernet.SourceAddress=00-0D-56-1F-73-64

        Ethernet.DestinationAddress=<MAC address>
         Matches the specified filter against destination MAC addresses.
        e.g. Ethernet.DestinationAddress=00-0D-56-1F-73-64

        Ethernet.Type=<ethertype>
         Matches the specified filter against the MAC ethertype.
        e.g. Ethernet.Type=IPv4
        e.g. Ethernet.Type=NOT(0x86DD)
        e.g. Ethernet.Type=(IPv4,IPv6)

        Wifi.Type=<Management|Data>
         Matches the specified filter against the Wifi type. Allowed values
         are 'Management' and 'Data'. If not specified, the Wifi.Type filter
         is not applied.
         Note: This capture filter does not support ranges, lists or negation.
        e.g. Wifi.Type=Management

        Protocol=<protocol>
         Matches the specified filter against the IP protocol.
        e.g. Protocol=6
        e.g. Protocol=!(TCP,UDP)
        e.g. Protocol=(4-10)

        IPv4.Address=<IPv4 address>
         Matches the specified filter against both source and destination
         IPv4 addresses.
        e.g. IPv4.Address=157.59.136.1
        e.g. IPv4.Address=!(157.59.136.1)
        e.g. IPv4.Address=(157.59.136.1,157.59.136.11)

        IPv4.SourceAddress=<IPv4 address>
         Matches the specified filter against source IPv4 addresses.
        e.g. IPv4.SourceAddress=157.59.136.1

        IPv4.DestinationAddress=<IPv4 address>
         Matches the specified filter against destination IPv4 addresses.
        e.g. IPv4.DestinationAddress=157.59.136.1

        IPv6.Address=<IPv6 address>
         Matches the specified filter against both source and destination
         IPv6 addresses.
        e.g. IPv6.Address=fe80::5038:3c4:35de:f4c3\%8
        e.g. IPv6.Address=!(fe80::5038:3c4:35de:f4c3\%8)

        IPv6.SourceAddress=<IPv6 address>
         Matches the specified filter against source IPv6 addresses.
        e.g. IPv6.SourceAddress=fe80::5038:3c4:35de:f4c3\%8

        IPv6.DestinationAddress=<IPv6 address>
         Matches the specified filter against destination IPv6 addresses.
        e.g. IPv6.DestinationAddress=fe80::5038:3c4:35de:f4c3\%8

        CustomMac=<type(offset,value)>
         Matches the specified filter against the value at the specified
         offset starting with the MAC header.
         Note: This capture filter does not support ranges, lists or negation.
        e.g. CustomMac=UINT8(0x1,0x23)
        e.g. CustomMac=ASCIISTRING(3,test)
        e.g. CustomMac=UNICODESTRING(2,test)

        CustomIp=<type(offset,value)>
         Matches the specified filter against the value at the specified
         offset starting with the IP header.
         Note: This capture filter does not support ranges, lists or negation.
        e.g. CustomIp=UINT16(4,0x3201)
        e.g. CustomIp=UINT32(0x2,18932)

        CaptureMultiLayer=<yes|no>
         Enables multi-layer packet capture.
         Note: This capture filter does not support ranges, lists or negation.

        PacketTruncateBytes=<value>
         Captures only the the specified number of bytes of each packet.
         Note: This capture filter does not support ranges, lists or negation.
        e.g. PacketTruncateBytes=40

Note:
        Multiple filters may be used together. However the same filter may
        not be repeated.
        e.g. 'netsh trace start capture=yes Ethernet.Type=IPv4
              IPv4.Address=157.59.136.1'

        Filters need to be explicitly stated when required. If a filter is
        not specified, it is treated as "don't-care".
         e.g. 'netsh trace start capture=yes IPv4.SourceAddress=157.59.136.1'
              This will capture IPv4 packets only from 157.59.136.1, and it
              will also capture packets with non-IPv4 Ethernet Types, since
              the Ethernet.Type filter is not explicitly specified.
         e.g. 'netsh trace start capture=yes IPv4.SourceAddress=157.59.136.1
               Ethernet.Type=IPv4'
              This will capture IPv4 packets only from 157.59.136.1. Packets
              with other Ethernet Types will be discarded since an explicit
              filter has been specified.

        Capture filters support ranges, lists and negation (unless stated
        otherwise).
         e.g. Range: 'netsh trace start capture=yes Ethernet.Type=IPv4
                      Protocol=(4-10)'
              This will capture IPv4 packets with protocols between 4 and 10
              inclusive.
         e.g. List: 'netsh trace start capture=yes Ethernet.Type=(IPv4,IPv6)'
              This will capture only IPv4 and IPv6 packets.
         e.g. Negation: 'netsh trace start capture=yes Ethernet.Type=!IPv4'
              This will capture all non-IPv4 packets.

        Negation may be combined with lists in some cases.
         e.g. 'netsh trace start capture=yes Ethernet.Type=!(IPv4,IPv6)'
               This will capture all non-IPv4 and non-IPv6 packets.

        'NOT' can be used instead of '!' to indicate negation. This requires
        parentheses to be present around the values to be negated.
         e.g. 'netsh trace start capture=yes Ethernet.Type=NOT(IPv4)'

You can get information about the netsh trace start command:

C:\> netsh trace start /?

start
  Starts tracing.

  Usage: trace start [[scenario=]]
        [[globalKeywords=]keywords] [[globalLevel=]level]
        [[capture=]yes|no] [[report=]yes|no]
        [[persistent=]yes|no] [[traceFile=]path\filename]
        [[maxSize=]filemaxsize] [[fileMode=]single|circular|append]
        [[overwrite=]yes|no] [[correlation=]yes|no|disabled] [capturefilters]
        [[provider=]providerIdOrName] [[keywords=]keywordMaskOrSet]
        [[level=]level] [[provider=]provider2IdOrName]
        [[keywords=]keyword2MaskOrSet] [[level=]level2] ...

Defaults:
        capture=no (specifies whether packet capture is enabled
                in addition to trace events)
        report=no (specifies whether a complementing report will be generated
                along with the trace file)
        persistent=no (specifies whether the tracing session continues
                across reboots, and is on until netsh trace stop is issued)
        maxSize=250 MB (specifies the maximum trace file size, 0=no maximum)
        fileMode=circular
        overwrite=yes (specifies whether an existing trace output file will
                be overwritten)
        correlation=yes (specifies whether related events will be correlated
                and grouped together)
        traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl
                (specifies location of the output file)

Provider keywords default to all and level to 255 unless otherwise specified.

For example:

netsh trace start scenario=InternetClient capture=yes

        Starts tracing for the InternetClient scenario and dependent providers
                with packet capture enabled.
        Tracing will stop when the "netsh trace stop" command is issued
                or when the system reboots.
        Default location and name will be used for the output file. If an old
                file exists, it will be overwritten.

netsh trace start provider=microsoft-windows-wlan-autoconfig
        keywords=state,ut:authentication

        Starts tracing for the microsoft-windows-wlan-autoconfig provider
        Tracing will stop when the "netsh trace stop" command is issued
                or when the system reboots.
        Default location and name will be used for the output file. If an old
                file exists, it will be overwritten.
        Only events with keyword 'state' or 'ut:authentication' will be logged.

        netsh trace show provider command can be used to display
                supported keywords and levels.

Capture Filters:
        Capture filters are only supported when capture is explicitly
        enabled with capture=yes. Use 'netsh trace show CaptureFilterHelp'
        to display a list of supported capture filters and their usage.

All captures should, unless you have a more specific goal in mind, have the Capture=yes parameter at the beginning of the trace statement, and provider=Microsoft-Windows-NDIS-PacketCapture level=5 keywords=ut:ReceivePath,ut:SendPath provider=Microsoft-Windows-Networking-Correlation level=1 keywords=ut:Packet at the end of the trace statement (after the capture filters have been specified) to ensure just the packet data is captured and not other verbose unrelated messages.

Optionally choose an interface:

C:\> netsh trace show interface
Ethernet adapter Local Area Connection 4:
    Description:     Intel(R) PRO/1000 MT Desktop Adapter
    Interface GUID:  {7C101C48-7750-4876-9746-C55584C59818}
    Interface Index: 21
    Interface Luid:  0x6000011000000

Ethernet adapter VirtualBox Host-Only Network:
    Description:     VirtualBox Host-Only Ethernet Adapter
    Interface GUID:  {2557E211-2DEF-47E6-B6B6-B56CD20092D5}
    Interface Index: 17
    Interface Luid:  0x600000F000000

Some examples:

Command Description
netsh trace start Capture=yes Correlation=no Report=no Scenario=InternetClient Tracefile=c:\temp\capture.etl Ethernet.Type=IPv4 IPv4.Address=(10.0.0.1,10.1.0.1,10.2.0.1,10.3.0.1) Protocol=UDP PacketTruncateBytes=256 CaptureInterface={7C101C48-7750-4876-9746-C55584C59818} limit packet captures to first 256 bytes of each packet, UDP only, IPv4 only, on the network interface specified only, to the specified etl file, make no report, do not correlate, and to/from any of the 4 IP addresses specified
netsh trace start Capture=yes Correlation=no Report=no Tracefile=c:\temp\capture.etl Ethernet.Type=IPv4 IPv4.Address=(10.0.0.1,10.1.0.1,10.2.0.1,10.3.0.1) Protocol=UDP PacketTruncateBytes=256 CaptureInterface={7C101C48-7750-4876-9746-C55584C59818} provider=Microsoft-Windows-NDIS-PacketCapture level=5 keywords=ut:ReceivePath,ut:SendPath provider=Microsoft-Windows-Networking-Correlation level=1 keywords=ut:Packet largely prevent “Microsoft_Windows_Networking_Correlation” module noise in packet capture by limiting verbosity level to 1, specify that packets coming in and going out should be captured with debugging level (5) verbosity for the “Microsoft-Windows-NDIS-PacketCapture” provider, everything else as above (produces far smaller capture files, note that the provider specifications should come after the filters)

Converting to Wireshark .cap Format: you can either use the Microsoft Message Analyzer GUI to open the .etl file, wait until it has processed the entire file (takes tens of minutes), and then save the file as a .cap export.

Or you can do the following in Powershell:

import-module PEF
$s = New-PefTraceSession -Path "C:\temp\wireshark-dump.cap" -SaveOnStop
$s | Add-PefMessageProvider -Provider "C:\temp\capture.etl"
$s | Start-PefTraceSession

So what can’t netsh do?

  • capture a specific application protocol, such as DNS, SNMP, or the like, because it does not permit matching on ports, and even if you tried using CustomIp=UINT16(22,53) you have to hope that the IPv4 header is its minimum 20 bytes and no longer and you can only capture on source OR destination ports but not both which means you will not see request/response pairs which is so essential to any tracing session
  • export in a Wireshark-friendly format

The provided “netsh trace” command that comes with Microsoft products is conclusive proof that Windows is never a good solution in an enterprise environment. While Linux servers have the “tcpdump” tool that allows specific filtering on so many different parameters the Windows “netsh trace” command flails around unable to be of much use to anybody trying to debug a networking or application related issue.

Any time a “Solution Architect” recommends a Windows or other Microsoft related product you will know instantly that they have never had to maintain or troubleshoot a real enterprise system in the wild.

Windows 10 TCP/Internet Slow With Chrome and OpenWRT Router

So I was having issues getting a Windows 10 laptop running Google Chrome connected via wifi to a router running OpenWRT Chaos Calmer 15.05.1.

The Windows 10 laptop would take a long time to establish a connection and then a long time for any data to transfer at an incredibly slow rate.

At first I thought it was Google Chrome but downloaded Firefox and was still having the same issues.

There are many proposed solutions but the commands that appeared to make a magical difference and instantly speed things up were:

netsh interface tcp show global
netsh interface tcp set global autotuning=disabled

At this stage things did not magically get better.

Then I tried:

netsh interface tcp show heuristics
netsh interface tcp set heuristics enabled

Now the Internet suddenly got quicker.

To undo these changes (if they don’t work for you):

netsh interface tcp set global autotuning=normal
netsh interface tcp set heuristics disabled

Also, because I messed around with the MTU on the WiFi interface I had to run the following to restore things to a relatively normal default:

netsh interface ipv4 set subinterface “WiFi” mtu=1458 store=persistent

Microsoft Don’t Do Information

In my experience over the years Microsoft products, from Operating Systems to Servers, routinely neglect to inform the user why something has gone wrong. In fact sometimes Microsoft, when they rarely attempt to be helpful, appear to go out of their way to give a wrong error message – which completely will confuse you!

I bought a new laptop which had Windows 8 pre-installed. I also have a friend with Windows 8.1. Both this laptops have had the same problem: the WiFi connection will show up as “limited” (and not work) with ordinary routers that every other WiFi device has no problems connecting to (such as phones, and other laptops running other Operating Systems such as Ubuntu, Windows 7).

The WiFi “limited” issue is the reason why I formatted my laptop and replaced the OS with Xubuntu. I’ve not had any WiFi issues since. It is also the reason why I’ll never purchase another Microsoft Operating System for home use in my lifetime.

It’s not just that Microsoft have seemingly broken ordinary WiFi connectivity. That’s a grave enough error in a modern Operating System. But the more severe error is that Windows 8/8.1 will just show the connection as “limited” without any description as to why. A reason might just help a poor customer diagnose the fault. Is it an inability to get a wireless signal? Is it because it cannot get an IP address assigned? Is it because Microsoft are trying to ping a server of theirs and it is failing? What is it!?!

And it’s not just WiFi connectivity that Microsoft stick two fingers up at the consumer with little-to-no information. I used to work with IIS (Internet Information Services, Microsoft’s version of a working web server like Apache). This incredibly crass piece of software would return the wrong error code – e.g. when a CGI application failed to execute property the server would return a 404 error (page not found) rather than a 500 error (server problem). If there’s one thing worse than returning no or little information – it is returning blatantly false information.

Conclusion? Microsoft hate people. Microsoft couldn’t give a passing thought about people. Information is not something Microsoft do. Instead they sell, market, and sell glossy interfaces. But helping you get a job done – like connecting to an ordinary WiFi router, or diagnosing why a web service isn’t working – well Microsoft will do their darnedest to make your life miserable.

WHEN YOU HAVE A CHOICE, DO NOT BUY MICROSOFT. IT IS ALMOST ALWAYS THE WRONG CHOICE.

Microsoft Mouse in Windows 7 Became Slow and Laggy

Last month, April 2014, I started to experience severe problems with my USB Microsoft Mouse (cabled) on Windows 7. Frequently it would stop responding altogether and suspending the computer and waking it up seemed to get it working again for between 2 and 10 minutes – but then it would stop working again.

I suspected my cabled mouse was getting old and dysfunctional (highly unusual for an optical mouse, but one can be unlucky). So I removed the cabled mouse and plugged in a wireless USB Microsoft Mouse. This didn’t stop working. But it suffered a different problem.

From time to time the mouse would appear “slow”. It would update on the screen maybe twice a second, or even less frequently, once per second, or pause for several seconds before responding again.

The solution in my case was to do the following. Open device manager (start menu, type “device manager”). Then expand the “Universal Serial Bus controllers” item, and right click on “Microsoft Mouse and Keyboard Detection Driver (USB), left-click on “Uninstall”. You do not need to tick the box that asks to delete the drivers.

Uninstall Microsoft Mouse and Keyboard Detection Driver (USB)

Uninstall Microsoft Mouse and Keyboard Detection Driver (USB)

The mouse stopped working at this point. So I connected my trusty cabled mouse and I clicked “cancel” as the Microsoft Mouse detection program started running looking for special drivers for my mouse.

Turns out I have to do this every time the mouse slows down. Go to device manager, uninstall the driver, then unplug and re-plug my mouse.