There are many challenges we face when I want to capture packets while troubleshooting.
- Installing a packet capture tool such as Microsoft’s Netmon or Wireshark, might be a deal breaker for some admins.
- Using a span or mirror port might not be available or add excessive latency to packets.
In most cases I would be happy with a solution that simply captures the packets and I can analyze the data on another system.
Many analysts I speak to are not aware that most Microsoft operating systems allow you to capture packets without installing anything on it. The command is netsh trace start etc…
In this video I show you how to get started by capturing data and making the trace compatible for Wireshark.