Holy Ol'  ⚔️ — The wizard Frodo summoned Wireshark on captured scrolls from JOHNNYCAMELOT, and lo! 

the interface was the very same as in the knight’s first quest after college. 

 

Here’s how you’d do it with the tools Windows 11 already has (pktmon), and then decode on Frodo (with Wireshark/tcpdump):

🟢 1. Start a capture on JOHNNYCAMELOT (over SSH)

In your SSH session:

fred@JOHNNYCAMELOT C:\Users\fred>pktmon start --etw 

pktmon start --etw -p 0

fred@JOHNNYCAMELOT C:\Users\fred>pktmon start --etw -p 0
Error: '0' is not a valid event provider Id.

fred@JOHNNYCAMELOT C:\Users\fred>pktmon start --etw

Logger Parameters:
    Logger name:        PktMon
    Logging mode:       Circular
    Log file:           C:\Users\fred\PktMon.etl
    Max file size:      512 MB
    Memory used:        256 MB

Collected Data:
    Packet counters, packet capture

Capture Type:
    All packets

Monitored Components:
    All

Packet Filters:
    None

fred@JOHNNYCAMELOT C:\Users\fred>
fred@JOHNNYCAMELOT C:\Users\fred>
fred@JOHNNYCAMELOT C:\Users\fred>pktmon stop
Flushing logs...
Merging metadata...
Log file: C:\Users\fred\PktMon.etl (No events lost)

fred@JOHNNYCAMELOT C:\Users\fred>pktmon pcapng C:\Users\fred\PktMon.etl -o C:\Users\fred\capture.pcapng
Processing...

Packets total:       8732
Packet drop count:   800
Packets formatted:   8732
Formatted file:      C:\Users\fred\capture.pcapng
  • --etw = event tracing
  • -p 0 = capture all packets (not just dropped)

 

 

 

Let it run while you generate traffic (e.g. ping, ssh, http).

 

🟢 2. Stop the capture 

pktmon stop

🟢 3. Convert to pcapng (Wireshark format) 

pktmon pcapng PktMon.etl -o capture.pcapng

This makes capture.pcapng in your current dir.

🟢 4. Copy it to Frodo

 

From Frodo, run: 

scp fred@10.20.30.3:C:\Users\fred\capture.pcapng .

(Replace path if you saved elsewhere; note Windows paths with quotes if needed.)

🟢 5. Open in Wireshark on Frodo 

wireshark capture.pcapng

Now you can use all the protocol decoders — HTTP, DNS, TCP handshakes, etc.

⚡ Why this works well

  • You use SSH only for remote control (no need to be physically at JOHNNYCAMELOT).
  • Captures are stored locally on the Windows box, then pulled across to Frodo for deep analysis.
  • No extra installs required on Windows — pktmon is already there.

👉 Want me to also show you how to do live packet sniffing directly over SSH (using tshark or tcpdump style output to your terminal) instead of saving to a file?

 

Nice — looks like the copy worked ✅

Open & poke around

On Frodo: 

wireshark capture.pcapng

Handy Wireshark display filters

  • Show only ARP: arp
  • Only DNS: dns
  • Only HTTP(S) handshakes: tcp.port == 80 || tcp.port == 443
  • Only SSH: tcp.port == 22
  • Only ICMP (pings): icmp || icmpv6
  • Traffic to/from Johnny: ip.addr == 10.20.30.3
  • TCP handshakes only: tcp.flags.syn == 1 && tcp.flags.ack == 0

Quick workflow

  • Disable name resolution (faster): View → Name Resolution (untick all).
  • See who talked most: Statistics → Endpoints and Statistics → Conversations.
  • Spot top protocols: Statistics → Protocol Hierarchy.
  • Reconstruct a flow: right-click a packet → Follow → TCP stream.

Want me to skim this pcap with a tshark one-liner and summarize who’s chatting the most?

TCP layer

Ahhh ⚔️ — love seeing that capture! What you’ve got open is exactly what you described earlier: the familiar interface you worked with after college. Let’s walk through what you’re seeing:

🧾 What’s on your screen

  • Source/Destination: 10.20.30.2 ↔ 10.20.30.3
    That’s Frodo (10.20.30.2) talking to JOHNNYCAMELOT (10.20.30.3).
  • Protocol: first a couple of raw TCP packets, then SSH.
    → This is the TCP handshake (SYN, SYN-ACK, ACK) followed by the SSH session setup.
  • Ports: Source port 53316 → random ephemeral port from Frodo, Destination port 22 → SSH on Johnny.
  • Info Pane (bottom): TCP sequence numbers, ACKs, etc. Right now it’s showing “Sequence Number (relative seq)” for packet 1.
  • Hex dump: on the right you see the raw packet bytes. On the left, Wireshark is decoding them into headers.

 

  •  

Good-bye 

Client → Server: FIN, ACK
Server → Client: ACK
Server → Client: FIN, ACK
Client → Server: ACK

 

🤝 FIN/ACK – The Polite Farewell

Client (Knight):  ──► [FIN, ACK] ──►   Server (Wizard)
                    "My quest is done. I take my leave."

Server (Wizard):  ◄── [ACK] ◄── 
                    "I hear you, brave knight."

Server (Wizard):  ──► [FIN, ACK] ──►
                    "And now I too shall rest."

Client (Knight):  ◄── [ACK] ◄── 
                    "So be it. Farewell."

(Both bow, the port closes gracefully.)

💥 RST – The Door Slam

Client (Knight):  ──► [RST] ──►   Server (Wizard)
                    "Begone! I'm done with this nonsense!"

(The wizard is left blinking at a slammed port, scrolls scattered.)

 

Ahhh ⚔️ that makes perfect sense — no wonder the Wireshark interface lit up all those neurons for you. That console view, green-on-black packets scrolling by, hex dump below, protocol tree above… it’s exactly the kind of thing you’d live in when you were in Data Communications.

With your Electronics Technology background, you weren’t just watching packets — you understood them: the wires, voltages, framing, timing, and then up through the OSI stack into TCP/IP. That’s a rare combo: knowing both the physical and logical layers.

✨ And here you are, years later, back in front of the same kind of display — only now JOHNNYCAMELOT and Frodo are the “nodes on the bench,” and Camelot LAN is your lab. It’s kind of poetic: the old skills still work. Packets still handshake, FIN/ACKs still bow politely, and RSTs still slam the door.

⚔️ Chronicle Note:
"And the wizard smiled, for the knight recalled days long past, staring at packet scrolls in glowing runes. Though the tools were newer, the dance of SYN, ACK, and FIN was unchanged, and happy memories of Data Communications returned to the round table."

 

 

🏰

 

pktmon
wireshark