Do you need to capture some network traffic on a Windows box for further analysis, but don’t want to install additional software just… everywhere?
I usually do.
If you didn’t know, Windows has built-in tool with which you can do just that – (among other things) capture network trace to a file for further analysis. The tool is called netsh.
So, how do you capture traffic with netsh?
It’s fairly easy (for more options, filters and such, you can always check the accompanying help content – netsh trace start ?):
netsh trace start capture=yes tracefile=C:\MyTrace.etl maxsize=100MB
# Trace configuration:
# Status: Running
# Trace File: C:\MyTrace.etl
# Append: Off
# Circular: On
# Max Size: 100 MB
# Report: Off
# time... passes by... you're reproducing the issue...
netsh trace stop
# Merging traces ... done
# Generating data collection ... done
# The trace file and additional troubleshooting information have been compiled as "C:\MyTrace.cab".
# File location = C:\MyTrace.etl
# Tracing session was successfully stopped.
If you look at the location where you’ve saved your trace, you’ll see two files – of those two files, MyTrace.etl is the one you want:
OK, but what do you do with it?
If you try to open it with, for example, WireShark, you’ll see it doesn’t work:
So… we have a trace file with which we can’t really do anything?!?
If you have Microsoft Network Monitor (now archived, but can be found… on the Internet) or Microsoft Message Analyzer (now retired), you can open up and analyze your trace as you normally would:
If you already have WireShark on, let’s say, your workstation, and want to continue using it for the analysis, this trace needs to be converted to a format which WireShark understands (hope that one day we’ll have WireShark which opens such .etl files natively).
You can convert it by using the free tool called etl2pcapng.
It doesn’t require installation, and if you want to use the pre-compiled binaries, they are available under etl2pcapng releases.
So, convert your (netsh) MyTrace.etl to (WireShark’s) MyTrace.pcapng with this command:
etl2pcapng.exe C:\MyTrace.etl C:\MyTrace.pcapng
# IF: medium=eth ID=0 IfIndex=7
# IF: medium=eth ID=1 IfIndex=13
# IF: medium=eth ID=2 IfIndex=14
# Converted 859 frames
Once converted, you can open the new file (MyTrace.pcapng) in WireShark, and do what you would usually do to analyze it:
Hope this helps!