pcap capture windows server

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
creates a pcap capture file automatically when it is attacked by ddos
windows server
Do you have a preference between using Wireshark or another packet analysis tool?

I know WinDump is the Windows-alternative to tcpdump. If you have access to PowerShell, you could script something in a loop that keeps running and checks for absurdly large amounts of open connections. Even better could be to continuously generate pcaps using WinDump over 10 minute intervals and delete anything that is NORMAL. Essentially, this would look like running 10m interval collections (pcap) and then auto-deleting anything that is normal in size for example a pcap file resulting in XXMB is good to delete/trash, while a 1GB flow over 10m might be something to spill your coffee onto the floor about.. unless you run a file uploading site and people upload a GB over 10m.


This is all entirely going to be unique to your environment. Is this a game server.. is this a voice server.. etc. Capturing the attack will be intricate if the attack is not noisy (high traffic). If this is a L7 attack, the attacker could generate heaps of RAM/CPU only calling specific requests.

Reference for timing tcpdump (known as WinDump for Windows): https://stackoverflow.com/a/25731765

If you need help, let me know.
 
Top