Hi,
Windows Event tracing also supports the capturing of network traffic which can be reed by Wireshark, Microsoft Network Monitor or the Microsoft Message Analyzer.
To start a capture use the netsh command.
1 | D:\> netsh trace start capture= yes report=disabled tracefile=c:\trace.etl maxsize=16384 |
The capture option means to capture network data.
Stop the trace:
1 | D:\> netsh trace stop |
Eventtracing can be also used across a reboots. Just set the persistent flag.
1 | D:\> netsh trace start capture= yes report=disabled persistent= yes tracefile=c:\trace.etl maxsize=16384 |
To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version.
1 2 3 | D:\> etl2pcapng.exe c:\trace.etl c:\trace.pcapng IF: medium=eth ID=0 IfIndex=6 Converted 3235 frames |
It also possible to set some filters
This is a filter to capture only IPv4 and packets including the IP address 10.200.200.3
1 | D:\> netsh trace start capture= yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384 |
For a deep dive itno filtering see
1 | netsh trace show capturefilterhelp |
Michael