| Description |
Traffic capture is needed in many troubleshooting scenarios. Nevertheless, there are restrictive environments where installing Wireshark is difficult or even not possible. This article describes how to capture traffic in Windows without installing any software. The solution also allows capturing traffic during a reboot. |
| Scope | Windows devices. |
| Solution |
The tool Netsh is natively present in Windows, with no need to install additional software. Netsh can be run from the Windows cmd or powershell. The tool allows capturing traffic even during a reboot.
A traffic capture command example:
netsh trace start capture=yes IPv4.Address=192.168.0.1 protocol=6 maxsize=1024 filemode=circular tracefile=c:\temp\TrafficCapture.etl
It writes the trace output to the file c:\temp\TrafficCapture.etl To see a list of filters which can be applied, enter 'show CaptureFilterHelp' in the Trace context.
netsh trace>show capturefilterhelp
To finish the capture, type:
netsh trace stop
If there is a need to capture, even upon reboot of the host, use the option:
persistent=yes
To read the produced ETL file with Wireshark, it must be converted to the CAP format. ETL2PCAPNG is an open source tool that does exactly that.
Navigate to the directory, and the PCAP file will be visible.
For more information, refer to the official documentation: Netsh Commands for Network Trace |
