Archive
Posts Tagged ‘WinRm’
Comparing RPC, WMI and WinRM for remote server management with PowerShell V2
2010/06/03
Leave a comment
1. Overview
In a recent blog post, I was looking at PowerShell V2 remoting in Windows Server 2008 R2.
If you haven’t seen it, take a look at http://blogs.technet.com/josebda/archive/2010/03/31/experimenting-with-powershell-v2-remoting.aspx.
In that post, I mentioned three different ways to gather information about services on a remove server (throughout this post, I use this task as an example of what I administrator would run remotely):
· Using Get-Service with the –ComputerName parameter (RPC)
· Using Get-WMIObject with a –ComputerName parameter (WMI)
· Using Invoke-Command to execute Get-Service remotely (WinRM)
In this post, I spent more time looking deeper at some the most significant differences between them.
2. Commands and Outputs
For starters, here are the three versions of a sample command to query a remote server and the output they produce: the first using Get-Service, the second using Get-WMIObject and the third using Invoke-Command.
From an IT Administrator perspective, the Get-Service form is short and to the point. It is a good example of how PowerShell makes things simple to manage.
The Invoke-Command is not so bad either, with the advantage that IT Administrators don’t have to restrict themselves to cmdlets that have the –ComputerName option.
The Get-WMIObject seems a bit scary for someone without a developer background. You also lose some of the discoverability advantages of PowerShell (you can’t press TAB to complete your query, for instance).
On the other hand, for developers familiar with Win32 APIs and WMI classes, the option to use Get-WMIObject seems very attractive.
Get-Service LanManServer -ComputerName josebda-s0
Status Name DisplayName
------ ---- -----------
Running LanManServer Server
Get-WMIObject -ComputerName josebda-s0 -query “Select * from Win32_Service Where Name=’LanManServer ‘” | ft
ExitCode Name ProcessId StartMode State Status
-------- ---- --------- --------- ----- ------
0 LanmanServer 868 Auto Running OK
Invoke-Command josebda-s0 {Get-Service LanManServer}
Status Name DisplayName PSComputerName
------ ---- ----------- --------------
Running LanManServer Server josebda-s0
3. Properties and Methods
While the three options look similar, the objects returned are different. The first is of type “System.ServiceProcess.ServiceController”, the second returns the type “System.Management.ManagementObject#root\cimv2\Win32_Service” and last one is of type “Deserialized.System.ServiceProcess.ServiceController”. Take a look below at the details on each different type below, obtained using Get-Member. Note that the deserialized version has no methods to perform actions on the service, like stop or start.
Get-Service LanManServer -ComputerName josebda-s0 | Get-Member
TypeName: System.ServiceProcess.ServiceController
Name MemberType Definition
---- ---------- ----------
Name AliasProperty Name = ServiceName
RequiredServices AliasProperty RequiredServices = ServicesDependedOn
Disposed Event System.EventHandler Disposed(System.Object, System.EventArgs)
Close Method System.Void Close()
Continue Method System.Void Continue()
CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
Dispose Method System.Void Dispose()
Equals Method bool Equals(System.Object obj)
ExecuteCommand Method System.Void ExecuteCommand(int command)
GetHashCode Method int GetHashCode()
GetLifetimeService Method System.Object GetLifetimeService()
GetType Method type GetType()
InitializeLifetimeService Method System.Object InitializeLifetimeService()
Pause Method System.Void Pause()
Refresh Method System.Void Refresh()
Start Method System.Void Start(), System.Void Start(string[] args)
Stop Method System.Void Stop()
ToString Method string ToString()
WaitForStatus Method System.Void WaitForStatus(System.ServiceProcess.ServiceControllerStatus desi...
CanPauseAndContinue Property System.Boolean CanPauseAndContinue {get;}
CanShutdown Property System.Boolean CanShutdown {get;}
CanStop Property System.Boolean CanStop {get;}
Container Property System.ComponentModel.IContainer Container {get;}
DependentServices Property System.ServiceProcess.ServiceController[] DependentServices {get;}
DisplayName Property System.String DisplayName {get;set;}
MachineName Property System.String MachineName {get;set;}
ServiceHandle Property System.Runtime.InteropServices.SafeHandle ServiceHandle {get;}
ServiceName Property System.String ServiceName {get;set;}
ServicesDependedOn Property System.ServiceProcess.ServiceController[] ServicesDependedOn {get;}
ServiceType Property System.ServiceProcess.ServiceType ServiceType {get;}
Site Property System.ComponentModel.ISite Site {get;set;}
Status Property System.ServiceProcess.ServiceControllerStatus Status {get;}
Get-WMIObject -computername josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'" | Get-Member
TypeName: System.Management.ManagementObject#root\cimv2\Win32_Service
Name MemberType Definition
---- ---------- ----------
Change Method System.Management.ManagementBaseObject Change(System.String DisplayName, System...
ChangeStartMode Method System.Management.ManagementBaseObject ChangeStartMode(System.String StartMode)
Delete Method System.Management.ManagementBaseObject Delete()
GetSecurityDescriptor Method System.Management.ManagementBaseObject GetSecurityDescriptor()
InterrogateService Method System.Management.ManagementBaseObject InterrogateService()
PauseService Method System.Management.ManagementBaseObject PauseService()
ResumeService Method System.Management.ManagementBaseObject ResumeService()
SetSecurityDescriptor Method System.Management.ManagementBaseObject SetSecurityDescriptor(System.Management....
StartService Method System.Management.ManagementBaseObject StartService()
StopService Method System.Management.ManagementBaseObject StopService()
UserControlService Method System.Management.ManagementBaseObject UserControlService(System.Byte ControlCode)
AcceptPause Property System.Boolean AcceptPause {get;set;}
AcceptStop Property System.Boolean AcceptStop {get;set;}
Caption Property System.String Caption {get;set;}
CheckPoint Property System.UInt32 CheckPoint {get;set;}
CreationClassName Property System.String CreationClassName {get;set;}
Description Property System.String Description {get;set;}
DesktopInteract Property System.Boolean DesktopInteract {get;set;}
DisplayName Property System.String DisplayName {get;set;}
ErrorControl Property System.String ErrorControl {get;set;}
ExitCode Property System.UInt32 ExitCode {get;set;}
InstallDate Property System.String InstallDate {get;set;}
Name Property System.String Name {get;set;}
PathName Property System.String PathName {get;set;}
ProcessId Property System.UInt32 ProcessId {get;set;}
ServiceSpecificExitCode Property System.UInt32 ServiceSpecificExitCode {get;set;}
ServiceType Property System.String ServiceType {get;set;}
Started Property System.Boolean Started {get;set;}
StartMode Property System.String StartMode {get;set;}
StartName Property System.String StartName {get;set;}
State Property System.String State {get;set;}
Status Property System.String Status {get;set;}
SystemCreationClassName Property System.String SystemCreationClassName {get;set;}
SystemName Property System.String SystemName {get;set;}
TagId Property System.UInt32 TagId {get;set;}
WaitHint Property System.UInt32 WaitHint {get;set;}
__CLASS Property System.String __CLASS {get;set;}
__DERIVATION Property System.String[] __DERIVATION {get;set;}
__DYNASTY Property System.String __DYNASTY {get;set;}
__GENUS Property System.Int32 __GENUS {get;set;}
__NAMESPACE Property System.String __NAMESPACE {get;set;}
__PATH Property System.String __PATH {get;set;}
__PROPERTY_COUNT Property System.Int32 __PROPERTY_COUNT {get;set;}
__RELPATH Property System.String __RELPATH {get;set;}
__SERVER Property System.String __SERVER {get;set;}
__SUPERCLASS Property System.String __SUPERCLASS {get;set;}
PSConfiguration PropertySet PSConfiguration {DesktopInteract, ErrorControl, Name, PathName, ServiceType, St...
PSStatus PropertySet PSStatus {Name, Status, ExitCode}
ConvertFromDateTime ScriptMethod System.Object ConvertFromDateTime();
ConvertToDateTime ScriptMethod System.Object ConvertToDateTime();
Invoke-Command josebda-s0 {Get-Service LanManServer} | Get-Member
TypeName: Deserialized.System.ServiceProcess.ServiceController
Name MemberType Definition
---- ---------- ----------
ToString Method string ToString(), string ToString(string format, System.IFormatProvider formatProv...
Name NoteProperty System.String Name=LanManServer
PSComputerName NoteProperty System.String PSComputerName=josebda-s0
PSShowComputerName NoteProperty System.Boolean PSShowComputerName=True
RequiredServices NoteProperty Deserialized.System.ServiceProcess.ServiceController[] RequiredServices=System.Serv...
RunspaceId NoteProperty System.Guid RunspaceId=b7769bc0-4283-4465-bffd-94be34c9e32f
CanPauseAndContinue Property System.Boolean {get;set;}
CanShutdown Property System.Boolean {get;set;}
CanStop Property System.Boolean {get;set;}
Container Property {get;set;}
DependentServices Property Deserialized.System.ServiceProcess.ServiceController[] {get;set;}
DisplayName Property System.String {get;set;}
MachineName Property System.String {get;set;}
ServiceHandle Property System.String {get;set;}
ServiceName Property System.String {get;set;}
ServicesDependedOn Property Deserialized.System.ServiceProcess.ServiceController[] {get;set;}
ServiceType Property System.String {get;set;}
Site Property {get;set;}
Status Property System.String {get;set;}
4. Measurements
Beyond this basic difference in functionality, these three options perform at completely different levels.
To look into how this translates in term of performance, I used the Measure-Command commandlet.
I ran the commands a few times first, in order to warm both local and remote stacks and avoid issues related to DNS lookups, authentication, etc. The samples below were taken after that.
Keep in mind that these results can vary widely depending on your server and network configuration. I would strongly encourage you to take these measuruments in your own test environment to validate them.
Measure-Command {Get-Service LanManServer -ComputerName josebda-s0}
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 4
Ticks : 44539
TotalDays : 5.15497685185185E-08
TotalHours : 1.23719444444444E-06
TotalMinutes : 7.42316666666667E-05
TotalSeconds : 0.0044539
TotalMilliseconds : 4.4539
(Measure-Command {Get-Service LanManServer -ComputerName josebda-s0}).TotalMilliseconds
3.8388
Measure-command {Get-WMIObject -ComputerName josebda-s0 -query “Select * from Win32_Service Where Name=’LanManServer'” }
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 148
Ticks : 1484424
TotalDays : 1.71808333333333E-06
TotalHours : 4.1234E-05
TotalMinutes : 0.00247404
TotalSeconds : 0.1484424
TotalMilliseconds : 148.4424
(Measure-command {Get-WMIObject -ComputerName josebda-s0 -query “Select * from Win32_Service Where Name=’LanManServer'” }).TotalMilliseconds
134.4495
Measure-Command {Invoke-Command josebda-s0 {Get-Service LanManServer}}
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 869
Ticks : 8695210
TotalDays : 1.0063900462963E-05
TotalHours : 0.000241533611111111
TotalMinutes : 0.0144920166666667
TotalSeconds : 0.869521
TotalMilliseconds : 869.521
(Measure-Command {Invoke-Command josebda-s0 {Get-Service LanManServer}}).TotalMilliseconds
764.3609
As you can see, Invoke-Command takes much longer than the other two. However, there is a way to improve the performance of Invoke-Command by first creating a session and re-using that session in later commands. Here’s how:
$s = New-PSSession josebda-s0
$s
Id Name ComputerName State ConfigurationName Availability
-- ---- ------------ ----- ----------------- ------------
1 Session1 josebda-s0 Opened Microsoft.PowerShell Available
Invoke-Command -Session $s {Get-Service LanManServer}
Status Name DisplayName PSComputerName
------ ---- ----------- --------------
Running LanManServer Server josebda-s0
With that change, Invoke-Command is much faster than before in subsequent calls.
Measure-Command { Invoke-Command -Session $s {Get-Service LanManServer} }
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 14
Ticks : 140436
TotalDays : 1.62541666666667E-07
TotalHours : 3.901E-06
TotalMinutes : 0.00023406
TotalSeconds : 0.0140436
TotalMilliseconds : 14.0436
(Measure-Command { Invoke-Command -Session $s {Get-Service LanManServer} }).TotalMilliseconds
15.5385
5. Summarizing Measurements
As you can see, the different options perform very differently. The fastest and slowest are actually orders of magnitude apart.
Because there could be slight variations in the performance depending on what else is running on the administrator’s computer, I used a loop to execute each one 20 times.
Here are the commands I used:
1..20 | % {(measure-command {Get-Service LanManServer -ComputerName josebda-s0}).TotalMilliseconds}
1..20 | % {(Measure-command {Get-WMIObject -ComputerName josebda-s0 -query “Select * from Win32_Service Where Name=’LanManServer'” }).TotalMilliseconds}
1..20 | % {(Measure-Command {Invoke-Command josebda-s0 {Get-Service LanManServer}}).TotalMilliseconds}
1..20 | % {(Measure-Command {Invoke-Command $s {Get-Service LanManServer}}).TotalMilliseconds}
I then pasted the output into Excel and added some formulas to produce the table below.
As you can see, in average, Get-Service was over 250 times faster than Invoke-Command with servername.
While those 20 commands take less than a tenth of second for Get-Service, it took over 18 seconds to execute the 20 commands for Invoke-Command with Servername.
Invoke-Command with –session separates the heavy lifting of creating a session out of the picture runs all the 20 commands in a quarter of a second.
Get-WMIObject took a little over 3 seconds to execute all 20 commands.
Again, keep in mind that these results can vary widely depending on your server and network configuration. I would strongly encourage you to take these measurements in your own test environment to validate them.
Sample
|
Get-Service
with -CN
|
Get-WMIObject
with -CN
|
Invoke-Command
with servername
|
Invoke-Command
with -session
|
1
|
3.7918
|
137.8325
|
1,527.9476
|
13.4520
|
2
|
3.6134
|
133.7955
|
768.2190
|
16.7934
|
3
|
3.9385
|
137.8329
|
766.1347
|
11.9233
|
4
|
3.5771
|
134.3533
|
1,311.7297
|
11.1179
|
5
|
3.5146
|
137.0647
|
732.0722
|
11.1046
|
6
|
3.5014
|
133.0551
|
798.1055
|
10.8660
|
7
|
3.5647
|
136.2507
|
794.4809
|
11.0375
|
8
|
3.5082
|
137.9484
|
799.5016
|
11.7835
|
9
|
3.4958
|
137.7649
|
1,073.0879
|
10.7582
|
10
|
3.5377
|
133.9375
|
1,117.2072
|
14.1638
|
11
|
3.5129
|
137.4364
|
758.8444
|
11.3480
|
12
|
3.5223
|
139.8877
|
767.3930
|
10.8035
|
13
|
3.5441
|
137.3063
|
1,566.7211
|
20.2465
|
14
|
3.5172
|
135.2789
|
760.4142
|
13.1813
|
15
|
3.5163
|
404.5968
|
765.0392
|
11.0910
|
16
|
3.5189
|
143.2326
|
1,071.0292
|
10.9340
|
17
|
3.6113
|
138.0981
|
755.0543
|
10.7193
|
18
|
3.5168
|
137.9030
|
781.3987
|
11.3788
|
19
|
3.6763
|
135.3268
|
778.1373
|
12.0371
|
20
|
4.0022
|
136.6921
|
760.6862
|
10.9780
|
Average
|
3.5991
|
150.2797
|
922.6602
|
12.2859
|
Total
|
71.9815
|
3,005.5942
|
18,453.2039
|
245.7177
|
6. Network Monitor
Next, I went one level deeper by using Network Monitor 3.3 to actually watch the packets on the wire.
As usual, I ran the commands a few times before the capture, to warm both stacks and avoid capturing things like DNS lookups, authentication, etc.
I also filtered the packets to show only the ones where the source or destination address match the remote server where the commands execute.
As expected, the Get-Service version uses RPC. It efficiently sent a dozen IP packets back and forth (in the specific case of the sample command used).
Both the Get-WMIObject and Invoke-Command with servername versions took around a hundred packets to get the job done and both did a lot of serialization of objects.
By looking at the number of TCP continuation packets and their PaylodLen field, you can clearly see how the Invoke-Command uses the highest number of very large packets.
The Invoke-Command with –Session was very efficient (taking into consideration that it also does serialization) at around 20 packets.
Command = Get-Service LanManServer -ComputerName josebda-s0
| # | Conversation ID | Source | Dest | Protocol | Description |
| 1 | NetmonFilter | NetmonFilter:Updated Capture Filter: Source == “Server” OR Destination == “Server” | |||
| 2 | NetworkInfoEx | NetworkInfoEx:Network info for , Network Adapter Count = 2 | |||
| 3 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Request: unknown Call=0xF Opnum=0xF Context=0x0 Hint=0x30 |
| 4 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Response: unknown Call=0xF Context=0x0 Hint=0x18 Cancels=0x0 |
| 5 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Request: unknown Call=0x10 Opnum=0x15 Context=0x0 Hint=0x40 |
| 6 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Response: unknown Call=0x10 Context=0x0 Hint=0x18 Cancels=0x0 |
| 7 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Request: unknown Call=0x11 Opnum=0x14 Context=0x0 Hint=0x40 |
| 8 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Response: unknown Call=0x11 Context=0x0 Hint=0x24 Cancels=0x0 |
| 9 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Request: unknown Call=0x12 Opnum=0x10 Context=0x0 Hint=0x40 |
| 10 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Response: unknown Call=0x12 Context=0x0 Hint=0x18 Cancels=0x0 |
| 11 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Request: unknown Call=0x13 Opnum=0x6 Context=0x0 Hint=0x14 |
| 12 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Response: unknown Call=0x13 Context=0x0 Hint=0x20 Cancels=0x0 |
| 13 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Request: unknown Call=0x14 Opnum=0x0 Context=0x0 Hint=0x14 |
| 14 | {MSRPC:33, TCP:32, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Response: unknown Call=0x14 Context=0x0 Hint=0x18 Cancels=0x0 |
Command = Get-WMIObject -ComputerName josebda-s0 -query “Select * from Win32_Service Where Name=’LanManServer'”
| # | Conversation ID | Source | Dest | Protocol | Description |
| 1 | NetmonFilter | NetmonFilter:Updated Capture Filter: Source == “Server” OR Destination == “Server” | |||
| 2 | NetworkInfoEx | NetworkInfoEx:Network info for , Network Adapter Count = 2 | |||
| 3 | {TCP:62, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=……S., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2227018716, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
| 4 | {TCP:62, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A..S., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=0, Seq=1052068760, Ack=2227018717, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 |
| 5 | {TCP:62, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2227018717, Ack=1052068761, Win=259 (scale factor 0x8) = 66304 |
| 6 | {MSRPC:63, TCP:62, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Bind: UUID{000001A0-0000-0000-C000-000000000046} IRemoteSCMActivator(DCOM) Call=0x14 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 |
| 7 | {TCP:62, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…A…., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1415, Seq=2227020132 – 2227021547, Ack=1052068761, Win=259 (scale factor 0x8) = 66304 |
| 8 | {TCP:62, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=0, Seq=1052068761, Ack=2227021547, Win=259 (scale factor 0x8) = 66304 |
| 9 | {TCP:62, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…A…., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1415, Seq=2227021547 – 2227022962, Ack=1052068761, Win=259 (scale factor 0x8) = 66304 |
| 10 | {TCP:62, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…A…., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1415, Seq=2227022962 – 2227024377, Ack=1052068761, Win=259 (scale factor 0x8) = 66304 |
| 11 | {TCP:62, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…AP…, SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1028, Seq=2227024377 – 2227025405, Ack=1052068761, Win=259 (scale factor 0x8) = 66304 |
| 12 | {TCP:62, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=0, Seq=1052068761, Ack=2227025405, Win=259 (scale factor 0x8) = 66304 |
| 13 | {MSRPC:63, TCP:62, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Bind Ack: Call=0x14 Assoc Grp=0x4839 Xmit=0x16D0 Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering. |
| 14 | {MSRPC:63, TCP:62, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Alter Cont: UUID{000001A0-0000-0000-C000-000000000046} IRemoteSCMActivator(DCOM) Call=0x14 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering. |
| 15 | {MSRPC:63, TCP:62, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Alter Cont Resp: Call=0x14 Assoc Grp=0x4839 Xmit=0x16D0 Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering. |
| 16 | {MSRPC:63, TCP:62, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:RemoteCreateInstance Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 17 | {MSRPC:63, TCP:62, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:RemoteCreateInstance Response, ORPCFLOCAL – Local call to this computer |
| 18 | {TCP:62, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #17]Flags=…AP…, SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=97, Seq=1052070542 – 1052070639, Ack=2227026441, Win=255 (scale factor 0x8) = 65280 |
| 19 | {TCP:62, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2227026441, Ack=1052070639, Win=259 (scale factor 0x8) = 66304 |
| 20 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=……S., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176414295, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
| 21 | {TCP:64, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A..S., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206270, Ack=2176414296, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 |
| 22 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176414296, Ack=3916206271, Win=259 (scale factor 0x8) = 66304 |
| 23 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Bind: UUID{00000143-0000-0000-C000-000000000046} IRemUnknown2(DCOM) Call=0xA5 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 |
| 24 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #23]Flags=…A…., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176415711 – 2176417126, Ack=3916206271, Win=259 (scale factor 0x8) = 66304 |
| 25 | {TCP:64, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206271, Ack=2176417126, Win=259 (scale factor 0x8) = 66304 |
| 26 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #23]Flags=…A…., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176417126 – 2176418541, Ack=3916206271, Win=259 (scale factor 0x8) = 66304 |
| 27 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #23]Flags=…A…., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176418541 – 2176419956, Ack=3916206271, Win=259 (scale factor 0x8) = 66304 |
| 28 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #23]Flags=…AP…, SrcPort=62630, DstPort=49155, PayloadLen=1071, Seq=2176419956 – 2176421027, Ack=3916206271, Win=259 (scale factor 0x8) = 66304 |
| 29 | {TCP:64, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206271, Ack=2176421027, Win=259 (scale factor 0x8) = 66304 |
| 30 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Bind Ack: Call=0xA5 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering. |
| 31 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Alter Cont: UUID{00000143-0000-0000-C000-000000000046} IRemUnknown2(DCOM) Call=0xA5 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering. |
| 32 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Alter Cont Resp: Call=0xA5 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering. |
| 33 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 34 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL – No additional information in this packet |
| 35 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Alter Cont: UUID{D4781CD6-E5D3-44DF-AD94-930EFE48A887} IWbemLoginClientID(WMIRP) Call=0xA6 |
| 36 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #35]Flags=…A…., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176422817 – 2176424232, Ack=3916206801, Win=257 (scale factor 0x8) = 65792 |
| 37 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #35]Flags=…A…., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176424232 – 2176425647, Ack=3916206801, Win=257 (scale factor 0x8) = 65792 |
| 38 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #35]Flags=…A…., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176425647 – 2176427062, Ack=3916206801, Win=257 (scale factor 0x8) = 65792 |
| 39 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #35]Flags=…AP…, SrcPort=62630, DstPort=49155, PayloadLen=983, Seq=2176427062 – 2176428045, Ack=3916206801, Win=257 (scale factor 0x8) = 65792 |
| 40 | {TCP:64, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206801, Ack=2176424232, Win=259 (scale factor 0x8) = 66304 |
| 41 | {TCP:64, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206801, Ack=2176428045, Win=259 (scale factor 0x8) = 66304 |
| 42 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Alter Cont Resp: Call=0xA6 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 |
| 43 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Alter Cont: UUID{D4781CD6-E5D3-44DF-AD94-930EFE48A887} IWbemLoginClientID(WMIRP) Call=0xA6 |
| 44 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Alter Cont Resp: Call=0xA6 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 |
| 45 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IWbemLoginClientID: SetClientInfo, Request |
| 46 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IWbemLoginClientID: SetClientInfo, Response, Status: WBEM_S_NO_ERROR |
| 47 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Alter Cont: UUID{F309AD18-D86A-11D0-A075-00C04FB68820} IWbemLevel1Login(WMIRP) Call=0xA7 |
| 48 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Alter Cont Resp: Call=0xA7 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 |
| 49 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IWbemLevel1Login: EstablishPosition, Request |
| 50 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IWbemLevel1Login: EstablishPosition, Response, Status: WBEM_S_NO_ERROR |
| 51 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IWbemLevel1Login: NTLMLogin, Request |
| 52 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IWbemLevel1Login: NTLMLogin, Response, Status: WBEM_S_NO_ERROR |
| 53 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemRelease Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 54 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemRelease Response, ORPCFNULL – No additional information in this packet |
| 55 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 56 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL – No additional information in this packet |
| 57 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 58 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL – No additional information in this packet |
| 59 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Alter Cont: UUID{9556DC99-828C-11CF-A37E-00AA003240C7} IWbemServices(WMIRP) Call=0xAC |
| 60 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Alter Cont Resp: Call=0xAC Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 |
| 61 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IWbemServices: ExecQuery, Request |
| 62 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IWbemServices: ExecQuery, Response, Status: WBEM_S_NO_ERROR |
| 63 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 64 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL – No additional information in this packet |
| 65 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 66 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL – No additional information in this packet |
| 67 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 68 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL – No additional information in this packet |
| 69 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Alter Cont: UUID{1C1C45EE-4395-11D2-B60B-00104B703EFD} IWbemFetchSmartEnum(WMIRP) Call=0xB0 |
| 70 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Alter Cont Resp: Call=0xB0 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 |
| 71 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IWbemFetchSmartEnum: GetSmartEnum, Request, No parameters |
| 72 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IWbemFetchSmartEnum: GetSmartEnum, Response, Status: WBEM_S_NO_ERROR |
| 73 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Alter Cont: UUID{027947E1-D731-11CE-A357-000000000001} IEnumWbemClassObject(WMIRP) Call=0xB1 |
| 74 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Alter Cont Resp: Call=0xB1 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 |
| 75 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IEnumWbemClassObject: Clone, Request, No parameters |
| 76 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IEnumWbemClassObject: Clone, Response, Status: WBEM_S_NO_ERROR |
| 77 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 78 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL – No additional information in this packet |
| 79 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 80 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL – No additional information in this packet |
| 81 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 82 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL – No additional information in this packet |
| 83 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IWbemFetchSmartEnum: GetSmartEnum, Request, No parameters |
| 84 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IWbemFetchSmartEnum: GetSmartEnum, Response, Status: WBEM_S_NO_ERROR |
| 85 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IEnumWbemClassObject: Reset, Request, No parameters |
| 86 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IEnumWbemClassObject: Reset, Response, Status: WBEM_S_NO_ERROR |
| 87 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | MSRPC | MSRPC:c/o Alter Cont: UUID{423EC01E-2E35-11D2-B604-00104B703EFD} IWbemWCOSmartEnum(WMIRP) Call=0xB7 |
| 88 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | MSRPC | MSRPC:c/o Alter Cont Resp: Call=0xB7 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 |
| 89 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IWbemWCOSmartEnum: Next, Request |
| 90 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IWbemWCOSmartEnum: Next, Response, Status: Unknown Return Value, *Un-Interpreted* |
| 91 | {TCP:64, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #90]Flags=…A…., SrcPort=49155, DstPort=62630, PayloadLen=1415, Seq=3916212478 – 3916213893, Ack=2176431384, Win=258 (scale factor 0x8) = 66048 |
| 92 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176431384, Ack=3916213893, Win=259 (scale factor 0x8) = 66304 |
| 93 | {TCP:64, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #90]Flags=…A…., SrcPort=49155, DstPort=62630, PayloadLen=1415, Seq=3916213893 – 3916215308, Ack=2176431384, Win=258 (scale factor 0x8) = 66048 |
| 94 | {TCP:64, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #90]Flags=…A…., SrcPort=49155, DstPort=62630, PayloadLen=1415, Seq=3916215308 – 3916216723, Ack=2176431384, Win=258 (scale factor 0x8) = 66048 |
| 95 | {TCP:64, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176431384, Ack=3916216723, Win=259 (scale factor 0x8) = 66304 |
| 96 | {TCP:64, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #90]Flags=…AP…, SrcPort=49155, DstPort=62630, PayloadLen=876, Seq=3916216723 – 3916217599, Ack=2176431384, Win=258 (scale factor 0x8) = 66048 |
| 97 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | WMI | WMI:IWbemWCOSmartEnum: Next, Request |
| 98 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | WMI | WMI:IWbemWCOSmartEnum: Next, Response, Status: WBEM_S_FALSE |
| 99 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemRelease Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 100 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemRelease Response, ORPCFNULL – No additional information in this packet |
| 101 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Admin | Server | DCOM | DCOM:IRemUnknown2:RemRelease Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283} |
| 102 | {MSRPC:65, TCP:64, ESP:58, IPv6:57} | Server | Admin | DCOM | DCOM:IRemUnknown2:RemRelease Response, ORPCFNULL – No additional information in this packet |
Command = Invoke-Command josebda-s0 {Get-Service LanManServer}
| # | Conversation ID | Source | Dest | Protocol | Description |
| 1 | NetmonFilter | NetmonFilter:Updated Capture Filter: Source == “Server” OR Destination == “Server” | |||
| 2 | NetworkInfoEx | NetworkInfoEx:Network info for , Network Adapter Count = 2 | |||
| 3 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=……S., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616192850, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
| 4 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A..S., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429644, Ack=2616192851, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 |
| 5 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616192851, Ack=2351429645, Win=259 (scale factor 0x8) = 66304 |
| 6 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman, Using Kerberos Authorization |
| 7 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616194266 – 2616195681, Ack=2351429645, Win=259 (scale factor 0x8) = 66304 |
| 8 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429645, Ack=2616195681, Win=259 (scale factor 0x8) = 66304 |
| 9 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616195681 – 2616197096, Ack=2351429645, Win=259 (scale factor 0x8) = 66304 |
| 10 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616197096 – 2616198511, Ack=2351429645, Win=259 (scale factor 0x8) = 66304 |
| 11 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616198511 – 2616199926, Ack=2351429645, Win=259 (scale factor 0x8) = 66304 |
| 12 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616199926 – 2616201341, Ack=2351429645, Win=259 (scale factor 0x8) = 66304 |
| 13 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429645, Ack=2616199926, Win=259 (scale factor 0x8) = 66304 |
| 14 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #6]Flags=…AP…, SrcPort=62655, DstPort=5985, PayloadLen=362, Seq=2616201341 – 2616201703, Ack=2351429645, Win=259 (scale factor 0x8) = 66304 |
| 15 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429645, Ack=2616201703, Win=259 (scale factor 0x8) = 66304 |
| 16 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Server | Admin | HTTP | HTTP:Response, HTTP/1.1, Status Code = 200, URL: /wsman, Using Kerberos Authentication |
| 17 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 18 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Admin | Server | MIME | MIME: |
| 19 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #18]Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616203381 – 2616204796, Ack=2351429986, Win=258 (scale factor 0x8) = 66048 |
| 20 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #18]Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616204796 – 2616206211, Ack=2351429986, Win=258 (scale factor 0x8) = 66048 |
| 21 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #18]Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616206211 – 2616207626, Ack=2351429986, Win=258 (scale factor 0x8) = 66048 |
| 22 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #18]Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616207626 – 2616209041, Ack=2351429986, Win=258 (scale factor 0x8) = 66048 |
| 23 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #18]Flags=…AP…, SrcPort=62655, DstPort=5985, PayloadLen=810, Seq=2616209041 – 2616209851, Ack=2351429986, Win=258 (scale factor 0x8) = 66048 |
| 24 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429986, Ack=2616203381, Win=259 (scale factor 0x8) = 66304 |
| 25 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429986, Ack=2616207626, Win=259 (scale factor 0x8) = 66304 |
| 26 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429986, Ack=2616209851, Win=259 (scale factor 0x8) = 66304 |
| 27 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 28 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #27]Flags=…AP…, SrcPort=5985, DstPort=62655, PayloadLen=189, Seq=2351431401 – 2351431590, Ack=2616209851, Win=259 (scale factor 0x8) = 66304 |
| 29 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616209851, Ack=2351431590, Win=259 (scale factor 0x8) = 66304 |
| 30 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 31 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Admin | Server | MIME | MIME: |
| 32 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #31]Flags=…AP…, SrcPort=62655, DstPort=5985, PayloadLen=296, Seq=2616211529 – 2616211825, Ack=2351431590, Win=259 (scale factor 0x8) = 66304 |
| 33 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351431590, Ack=2616211825, Win=259 (scale factor 0x8) = 66304 |
| 34 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 35 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #34]Flags=…AP…, SrcPort=5985, DstPort=62655, PayloadLen=1074, Seq=2351433005 – 2351434079, Ack=2616211825, Win=259 (scale factor 0x8) = 66304 |
| 36 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616211825, Ack=2351434079, Win=259 (scale factor 0x8) = 66304 |
| 37 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 38 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Admin | Server | MIME | MIME: |
| 39 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #38]Flags=…AP…, SrcPort=62655, DstPort=5985, PayloadLen=296, Seq=2616213503 – 2616213799, Ack=2351434079, Win=259 (scale factor 0x8) = 66304 |
| 40 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351434079, Ack=2616213799, Win=259 (scale factor 0x8) = 66304 |
| 41 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 42 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #41]Flags=…AP…, SrcPort=5985, DstPort=62655, PayloadLen=46, Seq=2351435494 – 2351435540, Ack=2616213799, Win=259 (scale factor 0x8) = 66304 |
| 43 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616213799, Ack=2351435540, Win=259 (scale factor 0x8) = 66304 |
| 44 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 45 | {HTTP:16, TCP:15, ESP:58, IPv6:57} | Admin | Server | MIME | MIME: |
| 46 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #45]Flags=…AP…, SrcPort=62655, DstPort=5985, PayloadLen=296, Seq=2616215477 – 2616215773, Ack=2351435540, Win=259 (scale factor 0x8) = 66304 |
| 47 | {TCP:15, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351435540, Ack=2616215773, Win=259 (scale factor 0x8) = 66304 |
| 48 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=……S., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945142219, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
| 49 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A..S., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935512, Ack=2945142220, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 |
| 50 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945142220, Ack=935513, Win=259 (scale factor 0x8) = 66304 |
| 51 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman, Using Kerberos Authorization |
| 52 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #51]Flags=…A…., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945143635 – 2945145050, Ack=935513, Win=259 (scale factor 0x8) = 66304 |
| 53 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935513, Ack=2945145050, Win=259 (scale factor 0x8) = 66304 |
| 54 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #51]Flags=…A…., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945145050 – 2945146465, Ack=935513, Win=259 (scale factor 0x8) = 66304 |
| 55 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #51]Flags=…A…., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945146465 – 2945147880, Ack=935513, Win=259 (scale factor 0x8) = 66304 |
| 56 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #51]Flags=…A…., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945147880 – 2945149295, Ack=935513, Win=259 (scale factor 0x8) = 66304 |
| 57 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #51]Flags=…A…., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945149295 – 2945150710, Ack=935513, Win=259 (scale factor 0x8) = 66304 |
| 58 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935513, Ack=2945149295, Win=259 (scale factor 0x8) = 66304 |
| 59 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #51]Flags=…AP…, SrcPort=62656, DstPort=5985, PayloadLen=362, Seq=2945150710 – 2945151072, Ack=935513, Win=259 (scale factor 0x8) = 66304 |
| 60 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935513, Ack=2945151072, Win=259 (scale factor 0x8) = 66304 |
| 61 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Server | Admin | HTTP | HTTP:Response, HTTP/1.1, Status Code = 200, URL: /wsman, Using Kerberos Authentication |
| 62 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 63 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Admin | Server | MIME | MIME: |
| 64 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #63]Flags=…A…., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945152750 – 2945154165, Ack=935854, Win=258 (scale factor 0x8) = 66048 |
| 65 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #63]Flags=…AP…, SrcPort=62656, DstPort=5985, PayloadLen=1243, Seq=2945154165 – 2945155408, Ack=935854, Win=258 (scale factor 0x8) = 66048 |
| 66 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935854, Ack=2945152750, Win=259 (scale factor 0x8) = 66304 |
| 67 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935854, Ack=2945155408, Win=259 (scale factor 0x8) = 66304 |
| 68 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 69 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 70 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Admin | Server | MIME | MIME: |
| 71 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #70]Flags=…AP…, SrcPort=62656, DstPort=5985, PayloadLen=345, Seq=2945157086 – 2945157431, Ack=937228, Win=259 (scale factor 0x8) = 66304 |
| 72 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=937228, Ack=2945157431, Win=259 (scale factor 0x8) = 66304 |
| 73 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 74 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #73]Flags=…AP…, SrcPort=5985, DstPort=62656, PayloadLen=1266, Seq=938643 – 939909, Ack=2945157431, Win=259 (scale factor 0x8) = 66304 |
| 75 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945157431, Ack=939909, Win=259 (scale factor 0x8) = 66304 |
| 76 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 77 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Admin | Server | MIME | MIME: |
| 78 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #77]Flags=…AP…, SrcPort=62656, DstPort=5985, PayloadLen=373, Seq=2945159109 – 2945159482, Ack=939909, Win=259 (scale factor 0x8) = 66304 |
| 79 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=939909, Ack=2945159482, Win=259 (scale factor 0x8) = 66304 |
| 80 | {TCP:15, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A.R.., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616215773, Ack=2351435540, Win=0 (scale factor 0x8) = 0 |
| 81 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=……S., SrcPort=62657, DstPort=5985, PayloadLen=0, Seq=1691474629, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 |
| 82 | {TCP:20, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A..S., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738651, Ack=1691474630, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 |
| 83 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62657, DstPort=5985, PayloadLen=0, Seq=1691474630, Ack=717738652, Win=259 (scale factor 0x8) = 66304 |
| 84 | {HTTP:21, TCP:20, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman, Using Kerberos Authorization |
| 85 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #84]Flags=…A…., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691476045 – 1691477460, Ack=717738652, Win=259 (scale factor 0x8) = 66304 |
| 86 | {TCP:20, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738652, Ack=1691477460, Win=259 (scale factor 0x8) = 66304 |
| 87 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #84]Flags=…A…., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691477460 – 1691478875, Ack=717738652, Win=259 (scale factor 0x8) = 66304 |
| 88 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #84]Flags=…A…., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691478875 – 1691480290, Ack=717738652, Win=259 (scale factor 0x8) = 66304 |
| 89 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #84]Flags=…A…., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691480290 – 1691481705, Ack=717738652, Win=259 (scale factor 0x8) = 66304 |
| 90 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #84]Flags=…A…., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691481705 – 1691483120, Ack=717738652, Win=259 (scale factor 0x8) = 66304 |
| 91 | {TCP:20, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738652, Ack=1691481705, Win=259 (scale factor 0x8) = 66304 |
| 92 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #84]Flags=…AP…, SrcPort=62657, DstPort=5985, PayloadLen=362, Seq=1691483120 – 1691483482, Ack=717738652, Win=259 (scale factor 0x8) = 66304 |
| 93 | {TCP:20, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738652, Ack=1691483482, Win=259 (scale factor 0x8) = 66304 |
| 94 | {HTTP:21, TCP:20, ESP:58, IPv6:57} | Server | Admin | HTTP | HTTP:Response, HTTP/1.1, Status Code = 200, URL: /wsman, Using Kerberos Authentication |
| 95 | {HTTP:21, TCP:20, ESP:58, IPv6:57} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 96 | {HTTP:21, TCP:20, ESP:58, IPv6:57} | Admin | Server | MIME | MIME: |
| 97 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:[Continuation to #96]Flags=…AP…, SrcPort=62657, DstPort=5985, PayloadLen=129, Seq=1691485160 – 1691485289, Ack=717738993, Win=258 (scale factor 0x8) = 66048 |
| 98 | {TCP:20, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738993, Ack=1691485289, Win=259 (scale factor 0x8) = 66304 |
| 99 | {HTTP:19, TCP:18, ESP:58, IPv6:57} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 100 | {TCP:18, ESP:58, IPv6:57} | Server | Admin | TCP | TCP:[Continuation to #99]Flags=…AP…, SrcPort=5985, DstPort=62656, PayloadLen=409, Seq=941324 – 941733, Ack=2945159482, Win=259 (scale factor 0x8) = 66304 |
| 101 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945159482, Ack=941733, Win=259 (scale factor 0x8) = 66304 |
| 102 | {HTTP:21, TCP:20, ESP:58, IPv6:57} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 103 | {TCP:20, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A.R.., SrcPort=62657, DstPort=5985, PayloadLen=0, Seq=1691485289, Ack=717740121, Win=0 (scale factor 0x8) = 0 |
| 104 | {TCP:18, ESP:58, IPv6:57} | Admin | Server | TCP | TCP:Flags=…A.R.., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945159482, Ack=941733, Win=0 (scale factor 0x8) = 0 |
Command = Invoke-Command –Session $s {Get-Service LanManServer}
| # | Conversation ID | Source | Dest | Protocol | Description |
| 1 | NetmonFilter | NetmonFilter:Updated Capture Filter: Source == “Server” OR Destination == “Server” | |||
| 2 | NetworkInfoEx | NetworkInfoEx:Network info for , Network Adapter Count = 1 | |||
| 3 | {HTTP:43, TCP:42, ESP:7, IPv6:6} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 4 | {HTTP:43, TCP:42, ESP:7, IPv6:6} | Admin | Server | MIME | MIME: |
| 5 | {TCP:42, ESP:7, IPv6:6} | Admin | Server | TCP | TCP:[Continuation to #4]Flags=…A…., SrcPort=49783, DstPort=5985, PayloadLen=1415, Seq=2205380353 – 2205381768, Ack=1454111481, Win=259 |
| 6 | {TCP:42, ESP:7, IPv6:6} | Admin | Server | TCP | TCP:[Continuation to #4]Flags=…AP…, SrcPort=49783, DstPort=5985, PayloadLen=1243, Seq=2205381768 – 2205383011, Ack=1454111481, Win=259 |
| 7 | {TCP:42, ESP:7, IPv6:6} | Server | Admin | TCP | TCP:[Segment Lost]Flags=…A…., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454111481, Ack=2205380353, Win=259 |
| 8 | {TCP:42, ESP:7, IPv6:6} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454111481, Ack=2205383011, Win=259 |
| 9 | {HTTP:43, TCP:42, ESP:7, IPv6:6} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 10 | {HTTP:43, TCP:42, ESP:7, IPv6:6} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 11 | {HTTP:43, TCP:42, ESP:7, IPv6:6} | Admin | Server | MIME | MIME: |
| 12 | {TCP:42, ESP:7, IPv6:6} | Admin | Server | TCP | TCP:[Continuation to #11]Flags=…AP…, SrcPort=49783, DstPort=5985, PayloadLen=345, Seq=2205384689 – 2205385034, Ack=1454112855, Win=254 |
| 13 | {TCP:42, ESP:7, IPv6:6} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454112855, Ack=2205385034, Win=259 |
| 14 | {HTTP:43, TCP:42, ESP:7, IPv6:6} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 15 | {TCP:42, ESP:7, IPv6:6} | Server | Admin | TCP | TCP:[Continuation to #14]Flags=…AP…, SrcPort=5985, DstPort=49783, PayloadLen=1266, Seq=1454114270 – 1454115536, Ack=2205385034, Win=259 |
| 16 | {TCP:42, ESP:7, IPv6:6} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=49783, DstPort=5985, PayloadLen=0, Seq=2205385034, Ack=1454115536, Win=259 |
| 17 | {HTTP:43, TCP:42, ESP:7, IPv6:6} | Admin | Server | HTTP | HTTP:Request, POST /wsman |
| 18 | {HTTP:43, TCP:42, ESP:7, IPv6:6} | Admin | Server | MIME | MIME: |
| 19 | {TCP:42, ESP:7, IPv6:6} | Admin | Server | TCP | TCP:[Continuation to #18]Flags=…AP…, SrcPort=49783, DstPort=5985, PayloadLen=373, Seq=2205386712 – 2205387085, Ack=1454115536, Win=259 |
| 20 | {TCP:42, ESP:7, IPv6:6} | Server | Admin | TCP | TCP:Flags=…A…., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454115536, Ack=2205387085, Win=259 |
| 21 | {HTTP:43, TCP:42, ESP:7, IPv6:6} | Server | Admin | MIME | MIME:MediaType = application/HTTP-Kerberos-session-encrypted |
| 22 | {TCP:42, ESP:7, IPv6:6} | Server | Admin | TCP | TCP:[Continuation to #21]Flags=…AP…, SrcPort=5985, DstPort=49783, PayloadLen=409, Seq=1454116951 – 1454117360, Ack=2205387085, Win=259 |
| 23 | {TCP:42, ESP:7, IPv6:6} | Admin | Server | TCP | TCP:Flags=…A…., SrcPort=49783, DstPort=5985, PayloadLen=0, Seq=2205387085, Ack=1454117360, Win=259 |
7. Conclusion
While the multiple ways to gather information about services on a remote computer look similar at the surface, they are radically different underneath.
This is by no means an exhausting study of all the different details about each option, but I believe there is enough to cover the main differences.
At first, Invoke-Command seems like an ideal choice for Administrators, since you can run any PowerShell commandlet remotely and leverage Web Services over HTTP (a common choice for modern solutions).
That’s until you look at the performance issue and the lack of methods on the resulting deserialized objects.
If are an IT Administrator executing just a few commands every once in a while, those issues might not be much of a difference.
If you intend to run a lot of commands against the same server with Invoke-Command, using the –Session option will save quite some time, but then things get a bit more complicated.
Get-WMIObject provides a lot of functionality, due to the large number of WMI providers available and it’s always remotable.
Performance is better than Invoke-Command for single commands per server and the resulting objects do have methods you can call.
You do have to get familiar with the WMI classes and learn how to write queries. This is not a big deal for developers, but this can turn off IT Administrators.
If the specific action you are trying to accomplish can be performed remotely with an RPC-based cmdlet like Get-Service, that’s probably your best choice.
If you are using doing something in a loop inside another loop for a large set of servers, the performance issue might make the other options less attractive.
The main issue here is that not all cmdlets support the –ComputerName option and you’re likely to need to combine this with the other options.
Here’s a summary of the main points:
| Attribute | RPC | WMI | WinRM | WinRM (w/session) |
| Ease of use by IT Administrator | + + | – – | + | – |
| Ease of use by Developer | + + | + | + + | ++ |
| Returns objects with methods | + | + | – | – |
| Uses web services over HTTP protocol | – | – | + | + |
| Many available commandlets/providers | – | + | + + | + + |
| Performance for a single command | + + | ++ | ++ | ++ |
| Performance for a thousand commands | + + | – | – – | + |
I hope this has post has help you understand your choices so you can select the best option for your specific case.
Categories: Knowledge
powershell, RPC, WinRm, WMI
SuperBlackBook 