{"id":7476,"date":"2021-02-22T22:23:24","date_gmt":"2021-02-22T21:23:24","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=7476"},"modified":"2021-02-23T13:06:01","modified_gmt":"2021-02-23T12:06:01","slug":"windows-capture-a-network-trace-with-builtin-tools-netsh","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/windows-capture-a-network-trace-with-builtin-tools-netsh\/","title":{"rendered":"Windows: Capture a network trace with builtin tools (netsh)"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_7476 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_7476')){$('.twoclick_social_bookmarks_post_7476').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Windows%3A%20Capture%20a%20network%20trace%20with%20builtin%20tools%20%28netsh%29\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0AWindows%20Event%20tracing%20also%20supports%20the%20capturing%20of%20network%20traffic%20which%20can%20be%20reed%20by%20Wireshark%2C%20Microsoft%20Network%20Monitor%20or%20the%20Microsoft%20Message%20Analyzer.%0D%0A%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/windows-capture-a-network-trace-with-builtin-tools-netsh\\\/\",\"post_id\":7476,\"post_title_referrer_track\":\"Windows%3A+Capture+a+network+trace+with+builtin+tools+%28netsh%29\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>Windows Event tracing also supports the capturing of network traffic which can be reed by Wireshark, Microsoft Network Monitor or the Microsoft Message Analyzer.<\/p>\n<p><!--more--><\/p>\n<p>To start a capture use the <strong>netsh <\/strong>command. <\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; netsh trace start capture=yes report=disabled tracefile=c:\\trace.etl maxsize=16384\r\n<\/pre>\n<p>The <strong>capture <\/strong> option means to capture network data.<\/p>\n<p>Stop the trace:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; netsh trace stop\r\n<\/pre>\n<p>Eventtracing can be also used across a reboots. Just set the <strong>persistent<\/strong> flag.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\\trace.etl maxsize=16384\r\n<\/pre>\n<p>To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a <a href=\"https:\/\/github.com\/microsoft\/etl2pcapng\/\" rel=\"noopener\" target=\"_blank\">convert <\/a>for this task. <a href=\"https:\/\/github.com\/microsoft\/etl2pcapng\/releases\" rel=\"noopener\" target=\"_blank\">Download <\/a>the latest version. <\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; etl2pcapng.exe c:\\trace.etl c:\\trace.pcapng\r\nIF: medium=eth  ID=0    IfIndex=6\r\nConverted 3235 frames\r\n<\/pre>\n<p>It also possible to set some filters<br \/>\nThis is a filter to capture only IPv4 and packets including the IP address 10.200.200.3<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\\trace.etl maxsize=16384\r\n<\/pre>\n<p>For a deep dive itno filtering see<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nnetsh trace show capturefilterhelp\r\n<\/pre>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, Windows Event tracing also supports the capturing of network traffic which can be reed by Wireshark, Microsoft Network Monitor or the Microsoft Message Analyzer.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,5],"tags":[1535,696,1539,1538,213,1285,1534,20,1537,1536],"class_list":["post-7476","post","type-post","status-publish","format-standard","hentry","category-windows","category-windowsknowhow","tag-builtin","tag-capture","tag-convert-etf-to-cap","tag-convert-etl-to-cap","tag-network","tag-tools","tag-trace","tag-windows-2","tag-wireshark","tag-without-installing-wireshark"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/7476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=7476"}],"version-history":[{"count":11,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/7476\/revisions"}],"predecessor-version":[{"id":7487,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/7476\/revisions\/7487"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=7476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=7476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=7476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}