Saturday, September 7, 2013

Capturing network traffic using the netsh command for the Windows Filtering Platform

The Windows Filtering Platform (WFP) is a new architecture that debuted in Windows Vista and Windows Server 2008.  Microsoft added a diagnostic tool for the Windows Filtering Platform in Windows 7 and Windows Server 2008 R2.  To capture network traffic, launch an elevated command prompt and use the following command:

netsh wfp capture start 

To stop the capture, use the command:

netsh wfp capture stop

 netsh_wfp_1

Within the .cab output file, two files should be present.

netsh_wfp_2

Within the .XML file, details of the network traffic should be present.  The example below is a ping to the IP address of 8.8.8.8.

netsh_wfp_3

How to check if Secure Boot is enabled with Windows 8

To determine if the Secure Boot feature is enabled, launch a PowerShell session with local administrative authority and use the following cmdlet:

Confirm-SecureBootUEFI

The possible answers are True, False, or the platform does not support the feature.

ConfirmSecureBootUEFI

ConfirmSecureBootUEFI_2

Information concerning snapshot files within VMware

Below is a list of files for a Windows 7 virtual machine with VMware Workstation without any snapshot entries present:

vmware_snapshots_1

Below is an updated list when a snapshot had been created.

vmware_snapshots_2

Below are the contents of the .vmsd file:

vmware_snapshots_3

The snapshot list file contains the name of the .vmsn file, the snapshot name, the description, the name of the original disk and subsequent snapshot files.  Below is the contents of the .vmsd file after the snapshot had been deleted.

vmware_snapshots_4

Monday, September 2, 2013

Network Monitor feature within Firefox and Chrome

Starting with version 23, Firefox includes a network monitoring feature that can be accessed by using the keyboard shortcut combination of Control-Shift-Q or via Tools –> Web Developer –> Network.

firefox_network_monitor

Chrome has a similar feature which can be accessed by using the F12 key.

chrome_network_monitor

Horizon View Events Notifier

Horizon View Events Notifier is an application that can generate email alerts based on events within the VMware View Events database.

http://chrisdhalstead.net/2013/08/18/horizon-view-events-notifier/

Graylog2

Graylog2 is an open source and free log management application.  It consists of a server written in Java that accepts your syslog messages via TCP, UDP or AMQP, and stores it in the database for later review.

http://graylog2.org/

TraceWrangler

TraceWrangler is an utility currently for the Windows platform that will sanitize WireShark packet capture data.

http://www.tracewrangler.com/

PowerShell cmdlets to remove Modern applications within Windows 8

A few PowerShell cmdlets are available to remove Modern applications within Windows 8.  Remove-AppxProvisionedPackage will remove an application from the operating system but will not remove the icons from any existing user profiles.  Remove-AppxPackage will remove an application for the user currently logged on.

powershell_appxpackage