As I told you in the previous episode, there is more than just capturing without installing any software. Much more, actually. There is a .cab file which contains many files: 33 to be accurate (at least in my case). The files contain the heck of information about the computer’s networking configuration as well as logs. Let’s take a look at those files:
1) adapterinfo.txt: contains info about your NICs’ drivers:
How can this be useful? Easily, say, you see the driver for a physical NIC which was issued 5 years ago: why not to upgrade it first? Anyway, this can give you the starting point for troubleshooting.
2) dns.txt: this one contains the output for ipconfig /displaydns command which gives us the content of the DNS client cache
3) envinfo.txt: all you want and even more about the wireless network. Drivers with supported authentication and cipher options, interfaces and their state, hosted networks, WLAN settings, profiles and more and more…
4) filesharing.txt: nbtstat –n, nbtstat –c, net config rdr, net config srv, net share
5) gpresult.txt: no comments
6) neighbors.txt: arp –a, netsh interface ipv6 show neighbors (yeah, calling netsh from netsh… inception… ;) )
7) netiostate.txt: in my case there were Terede settings
8) osinfo.txt: at first it looks like systeminfo output, but actually it is somewhat different, yet can prove useful.
9) Report.etl: trace log file. I haven’t yet took a look into it. Probably it can be good for a deep troubleshooting
10) wcninfo.txt: wireless computer network information. Services status, files information and again interfaces info, ipconfig, and more…
11) wfpfilters.xml: I haven’t yet undertook a close investigation on the file, but seems like the file contains firewall rules in XML format
12) windowsfirewallconfig.txt: config for the firewall. Is it turned on, global settings and all that stuff
13) several other files, which contain various event logs related to networking, registry keys dumps and other info
14) Report.html: an .html file which contains links to the files above
Well, that’s it. Actually, while troubleshooting some incidents I was forced to request some info several time, just because I didn’t know what exactly I was going to need and I didn’t want to frustrate users with many commands or sending them a .bat file. Now I can give them only two commands and voila! I love it, really. IMHO this ability is just awesome even without taking network traffic capture, so I strongly advise to remember it!