Iâve been there before. I wanted to capture packets from someoneâs Windows computer, and I couldnât install Wireshark for a variety of reasons.
Then I go down the rabbit hole of options: SPAN, hub, TAP, etc. Each option has its own pros and cons that you need to determine on the fly for each scenario. Even the âportableâ version of Wireshark isnât entirely portable, and you may run into challenges trying to run it.
After some research, and testing, Iâve decided to use Microsoftâs built in packet capture commands and no, Iâm not referring to Network Monitor. This is a simple netsh command to start and stop a capture.
Most of the details are in the video, but hereâs the summary of some common commands
To display which interfaces Windows can use and their identification:
netsh trace show interfaces
To capture 11 MB from your Wi-Fi interface
netsh trace start capture=yes CaptureInterface=âWi-Fiâ tracefile=f:\traces\trace.etlâ maxsize=11
Check your capture status
netsh trace show status
To stop your capture
netsh trace stop
Capture 11 MB from your Wi-Fi interface to and from host 192.168.1.1
Netsh trace start capture=yes CaptureInterface="Wi-Fi " IPv4.Address=192.168.1.1Â tracefile=D:\trace.etl" maxsize=11
After you have your packets captured scoot over to https://github.com/microsoft/etl2pcapng/releases and download etl2pcapng. Then unzip in any folder and youâre ready to convert those etl files to pcapng.
Hope that helps you and happy packet hunting.