Step-by-Step Guide to Capturing Network Traces on Windows Using Netsh (No Install Required)

introduction:

I recently wrote a blog post detailing how to capture network traces from both the client and server via Wireshark. You can find it here.

How to capture simultaneous Wireshark traces on client and server for network troubleshooting (microphone…).

Now, one of the challenges that the server support team faces is the need to install Wireshark on both the client and server machines. Since many servers host critical applications, installing a new tool during business hours is often undesirable or requires special permission from the server administrator to install it. So instead of installing new software, why not use a tool that is already included in Windows? This time, we will use the built-in Netsh utility.

About Netsh:

Netsh is a simple command-line tool that helps you view and change your computer’s network settings. You can use Netsh by typing commands at the Netsh command prompt, and you can also automate tasks by including these commands in scripts or batch files. Netsh works on both local and remote computers. One of the useful features of Netsh is that you can create scripts with multiple commands and run them all at once on a specific computer. You can also save these scripts to text files for later use or to apply the same settings to other computers.

Let’s capture the problem using netsh.

To collect a network trace using netsh, you basically follow these three steps:

1. To start capturing, use the start command.
2. Reproduce the problem.
3. Stop the command, collect the events, and then compress them.

Start collecting traces:

1. Open an administrative command prompt or administrative PowerShell console. Open the Start menu and type: Command or Powershell Right-click Command Prompt or PowerShell in the search box and select: Run as administrator.
2. To start network capture, run the following command:

netsh trace start scenario=netconnection,WFP-IPsec maxsize=1024 filemode=cyclic persistence=yes capture=yes report=yes tracefile=c:\Clientside.etl

If not specified Trace file Parameters, default location is %LOCALAPPDATA%\Temp\NetTraces\.

so:

1. After running the command, immediately try to reproduce the problem you are trying to investigate several times.
2. Now that the problem has been reproduced and netsh has captured the data, it is time to command it to stop and merge the events.
3. Run Stop command:

netsh trace stop

This was done on the client machine, but if you want to troubleshoot by tracing the communication between the client and the IIS server (or any host), you should run the same command on the server, specifying only the file name ServerSide.etl, so that the output from both the client and server is clearly visible.

If there is one additional file created with the extension .taxiDon’t worry about this, it only contains relevant diagnostic information and compresses that information into a CAB file.

This will generate a ClientSide.etl file that can be opened with any network analysis tool. Netmon Validate and analyze for comprehensive review to resolve issues.

But what if you want to try it yourself using Wireshark? And Wireshark doesn’t read it. .etl File. You can try using open source tools. etl2pcapng at Official Microsoft Github Repository And then we convert this etl to pcap so that Wireshark can read it.

Looking for more information about Netsh? See the official Microsoft documentation here.

Netsh Command Syntax, Context, and Format | Microsoft Learn