Windows: Capture a network trace with builtin tools (netsh)

Hi,

Windows Event tracing also supports the capturing of network traffic which can be reed by Wireshark, Microsoft Network Monitor or the Microsoft Message Analyzer.

To start a capture use the netsh command.

D:\> netsh trace start capture=yes report=disabled tracefile=c:\trace.etl maxsize=16384

The capture option means to capture network data.

Stop the trace:

D:\> netsh trace stop

Eventtracing can be also used across a reboots. Just set the persistent flag.

D:\> netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\trace.etl maxsize=16384

To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version.

D:\> etl2pcapng.exe c:\trace.etl c:\trace.pcapng
IF: medium=eth  ID=0    IfIndex=6
Converted 3235 frames

It also possible to set some filters
This is a filter to capture only IPv4 and packets including the IP address 10.200.200.3

D:\> netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384

For a deep dive itno filtering see

netsh trace show capturefilterhelp

Michael

Leave a Reply