Skip to main content

Using NETSH to Capture Packets

Outages. Aside from the massive pressure of having to restore service, they can be pretty useful to learn new things. One recent discovery that was news to me is that you can use netsh to capture network traces.

It appears on modern-ish operating systems (Windows 7/Windows 2008 R2 and above) you no longer need to install your favorite packet tracing application to capture packets. Who doesn’t like to cuddle up with a nice packet trace, eh? Obviously if you’re on a desktop OS, you should just load packet capturing utility of choice (and it had better be Network Monitor if you intend to open the .ETL trace) -- unless you like to read it in some other way. That would mean your skillz are simply amazing and are wasting your time here!

RUNNING A TRACE

The most basic way to start and stop a trace is by performing the following commands:
As you can see, netsh displays the trace configuration as well. It’s not the full configuration of defaults though.
netsh trace start capture=yes

Trace configuration:
-------------------------------------------------------------------
Status:             Running
Trace File:         C:\Users\me\AppData\Local\Temp\NetTraces\NetTrace.etl
Append:             Off
Circular:           On
Max Size:           250 MB
Report:             Off

netsh trace stop
 

KNOWING THE DEFAULTS

Pulling the help file (trace start help) will provide the list of defaults if you run the command as indicated above. I have them illustrated here for reference.
capture=no (specifies whether packet capture is enabled in addition to trace events)report=no (specifies whether a complementing report will be generated along with the trace file)
persistent=no (specifies whether the tracing session continues across reboots, and is on until netsh trace stop is issued)
maxSize=250 MB (specifies the maximum trace file size, 0=no maximum)
fileMode=circular
overwrite=yes (specifies whether an existing trace output file will be overwritten)
correlation=yes (specifies whether related events will be correlated and grouped together)
traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl (specifies location of the output file)
I have highlighted the defaults which do not show up in the trace file output.

VIEWING THE RESULTS

Message Analyzer. You can open the file in Message Analyzer quite simply. (It’s also a brilliant tool.) By simply, I mean, just open the file once you have it running. This is my favorite way.

image

Network Monitor. You can expect the same results in Network Monitor but will need to do one additional step. Even without doing it, you’ll be able to read the frame details. The frame summary won’t make much sense though.
  1. Go to Tools | Options | Parser Profiles.
  2. Choose Windows and select Set As Active.
Wireshark. You are pretty much on your own. There are ways2 to convert .ETL to .CAP or whatever if you really need to stick that much to your guns.


REFERENCES

http://technet.microsoft.com/en-us/library/jj129382.aspx#bkmk_TraceUsingTrace
http://blogs.msdn.com/b/canberrapfe/archive/2012/03/31/capture-a-network-trace-without-installing-anything-works-for-shutdown-and-restart-too.aspx
2 http://blogs.technet.com/b/yongrhee/archive/2013/08/16/so-you-want-to-use-wireshark-to-read-the-netsh-trace-output-etl.aspx

Comments

Popular posts from this blog

opalis: blank entries in log and log history

ran into a problem today with opalis.  I had checked in a policy I was working with for testing and left it on overnight.  I came in the next day and found that it didn't work like I had expected.  I checked out the policy and tested it to make sure it was working.  it did exactly what I expected. I checked it again and started.  this is when I noticed something strange.  neither the log nor the log history had any information in it. usually, it would look something like this screenshot: I checked my lab environment and found the same thing.  I spent a few cycles reading logs , manuals, etc believing that I had missed a step setting it up somewhere or inadvertently turned something off.  I ran across an access denied error that I quietly shuffled to the back for now.  to rule out the ois client, I tried using the operator console.  that didn't work either. I checked the services on the server to see if it was started.  that's when I found that the opalisactionservice wa

how to retrieve your ip address with powershell...

update: this is how it’s performed in powershell v3 as demonstrated here . (get-netadapter | get-netipaddress | ? addressfamily -eq 'IPv4' ).ipaddress   update: this is by far the easiest. PS C:\temp> (gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null }).ipaddress 192.168.1.101     are you laughing yet?  i know you probably find this topic amusing.  it's really interesting though.  whenever you get over it, i'll do this in the standard cmd.exe interpreter and then in powershell to show you what kind of coolness powershell does. done?  okay, good.  this is an interpretation of a demo that bob wells did at our smug meeting.  hope you like it. i should tell you, it's not as simple as the title would lead you to believe.  i like doing that little slight-of-hand thing since it gives the impression that i'm painting a very easy target on my back for your criticism (though it's probably true in other ways)!  the idea is that we wa

imaged machines and the dnsapi event id 11163

i wonder if this is going to end up a long-winded post.  i never intend for that to happen because somewhere i picked up that technical information should be succinct.  however, when i started looking into this problem, it seemed like there just wasn’t good information on it. synopsis a user in your environment needs to have their machine reimaged.  as a loyal IT citizen, you promptly do so by any manner that happens to be your favorite (e.g. mdt, swimage, ghost, etc).  you bring up this machine as the same name.  later on, you try to remotely manage the machine but realize that the ip it once had is different.  you spin your wheels a bit trying to figure out why the new ip hasn’t registered in dns.  upon reviewing the event log of the machine, you discover events that look eerily similar to these: Event Type: Warning Event Source: DnsApi Event Category: None Event ID: 11163 Date: 8/12/2008 Time: 5:32:32 PM User: N/A Computer: myComputer D