I have a Windows 10 VM on Hyper-V. It is a production system (yeah I know) that is running multiple critical services that I need to analyse so I can migrate it off to something better. I need to capture the network traffic on that system to ensure all services are covered and that it can be firewalled.
The problems arise with the circumstances regarding that machine. It's hosted on a production Hyper-V environment on 20Gbps trunks (so I can't install anything, port mirroring would overwhelm the 1Gbps dest, and port mirror filtering would overwhelm the switch), there's very little storage space available to the VM so local capture is out, and anything that may cause the services to go down is right out.
If this was a Linux machine getting what I need would be easy. Tcpdump stream to another Linux machine, rotate the files out regularly and run an awk script on the output to capture and combine what I need (TCP SYN and all srcIP-destIP-destPort unique tuples).
But this is Windows 10. There doesn't seem to be any remote packet streaming software for newer versions Windows at all. WinPCAP had an experimental version of RPCAPD (remote Pcap daemon), but it hasn't been updated in 5 years and doesn't support Win10 (and again, production system so I can't risk break anything).
So far I've found and flunked the following:
- Win10Pcap: no mention of RPCAPD support
- TCPDump for Windows: no free use for commercial
- WinPcap: risk of entire VM or network stack imploding
- Pktmon: no Pcap, no streaming
- Wireshark/Tshark: no remote streaming support
- Nirsoft apps: nothing that appears to support remote streaming
Have I missed something, or is there only one (non-free) way to get a packet capture stream from Windows?
