Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Capturing Packets Natively in Microsoft Windows

work-731198_640.jpg

Windows packet trace
(Source: Pixabay)

 

I’ve been there before. I wanted to capture packets from someone’s Windows computer, and I couldn’t install Wireshark for a variety of reasons.

Then I go down the rabbit hole of options: SPAN, hub, TAP, etc. Each option has its own pros and cons that you need to determine on the fly for each scenario. Even the ‘portable’ version of Wireshark isn’t entirely portable, and you may run into challenges trying to run it.

After some research, and testing, I’ve decided to use Microsoft’s built in packet capture commands and no, I’m not referring to Network Monitor. This is a simple netsh command to start and stop a capture.

Most of the details are in the video, but here’s the summary of some common commands

To display which interfaces Windows can use and their identification:

netsh trace show interfaces

To capture 11 MB from your Wi-Fi interface

netsh trace start capture=yes CaptureInterface=”Wi-Fi” tracefile=f:\traces\trace.etl” maxsize=11

Check your capture status

netsh trace show status

To stop your capture

netsh trace stop

Capture 11 MB from your Wi-Fi interface to and from host 192.168.1.1

Netsh trace start capture=yes CaptureInterface="Wi-Fi " IPv4.Address=192.168.1.1  tracefile=D:\trace.etl" maxsize=11

After you have your packets captured scoot over to https://github.com/microsoft/etl2pcapng/releases and download etl2pcapng. Then unzip in any folder and you’re ready to convert those etl files to pcapng.

Hope that helps you and happy packet hunting.

Recommended Reading: