[Networking] Capture a network trace using NETSH

Since Windows Server 2008 and Windows Vista, it is possible to capture network trace using the NETSH.EXE command.

Here’s how to do it:

  • Open a command prompt window in an elevated mode (aka run as administrator)
  • start the network trace using: netsh trace start capture=yes
  • you can stop the network capture using: netsh trace stop

By default the trace is generated in %temp%\NetTraces and the filename is: NetTrace.etl

In the same folder, you’ll find a file called NetTrace.cab. In order to open this file, just rename the .cab file to .zip and decompress the file. Inside you’ll find machine-related configurations like installed apps, IP configuration, OS version and so on.

In order to generate the ETL trace within a different folder, you can use: netsh trace start capture=yes tracefile=c:\logs\nettrace.etl The two files (etl and cab) will be generated to this location.

You can also generate an ETL trace upon the machine’s start, even before the user logs on, using the Persistent parameter like: netsh trace start persistent=yes capture=yes tracefile=c:\logs\nettrace-boot.etl

Now, how can we use the ETL traces within a network analyzer tool like Wireshark ?

For this you will first have to convert the ETL file to a CAP or PCAP file using this [tool].

Then you can open the resulting cap file in WireShark and analyze it.

Enjoy!