Capture packets with a standard Windows tool (by Paul Offord)
January 03, 2017
Wireshark is a great way to capture network packets, but it's not always practical to use it. In an enterprise environment, at the very least, we need to get a change approved to install the software. Often it is just not possible to get approval to install Wireshark onto a desktop or server. So packet capture isn't possible - or is it?
Windows includes a rarely-used command line tool that has many of the capabilities of Wireshark dumpcap. It's there ready and waiting, on every Windows machine! Let's take a look at how we can use it.
Windows 2000 introduced a command line utility called netsh (network shell). As the name suggests, netsh is a shell environment that provides commands that address network issues. One of the commands it provides is netsh trace, a simple command line packet capture tool.
In the following video ..
... we take a look at using netsh trace, and how we analyze the resulting trace file with Microsoft Message Analyzer and Wireshark.
[MP4 version here in case YouTube is blocked]
netsh trace is available on all supported releases of Windows PC and Server editions. Running a trace requires elevated rights but it could be initiated via a scheduled task, and it can be configured to run in a persistent mode that survives a reboot.
netsh trace includes capture filter functionality and options to control the file size. Use the command netsh trace start ? to view the options.
Best regards...Paul
Paul is currently leading the TribeLab project to explore new ways to help IT support people troubleshoot performance and stability problems.