I’ve been there before. I wanted to capture packets from someone’s Windows computer, and I couldn’t install Wireshark for a variety of reasons.
Then I go down the rabbit hole of options: SPAN, hub, TAP, etc. Each option has its own pros and cons that you need to determine on the fly for each scenario. Even the ‘portable’ version of Wireshark isn’t entirely portable, and you may run into challenges trying to run it.
After some research, and testing, I’ve decided to use Microsoft’s built in packet capture commands and no, I’m not referring to Network Monitor. This is a simple netsh command to start and stop a capture.
Most of the details are in the video, but here’s the summary of some common commands
To display which interfaces Windows can use and their identification:
netsh trace show interfaces
To capture 11 MB from your Wi-Fi interface
netsh trace start capture=yes CaptureInterface=”Wi-Fi” tracefile=f:\traces\trace.etl” maxsize=11
Check your capture status
netsh trace show status
To stop your capture
netsh trace stop
Capture 11 MB from your Wi-Fi interface to and from host 192.168.1.1
Netsh trace start capture=yes CaptureInterface="Wi-Fi " IPv4.Address=192.168.1.1 tracefile=D:\trace.etl" maxsize=11
After you have your packets captured scoot over to https://github.com/microsoft/etl2pcapng/releases and download etl2pcapng. Then unzip in any folder and you’re ready to convert those etl files to pcapng.
Hope that helps you and happy packet hunting.