A Native Windows tool to capture packets (no downloading necessary)

Starting with Windows 7 and Windows Server 2008 R2 it is possible to capture packets without having to download something like Wireshark. It is not possible to read the traces (without downloading something) but capturing the packets for off system analysis can be useful. One word of caution, this native tool captures packets in Event Trace Log (ETL) format, not PCAP or PCAPNG format; you will need to have the Message Analyzer tool available to either analyze the packets or convert the trace file to PCAP format. Also I have not been able to get the ETL to PCAP conversion to work when the network device is wireless.

The following is a simple step by step procedure, see Using Netsh to Manage Traces for more details.

1. Start a command prompt with administrator privileges
2. Start tracing

   c:\>netsh trace start capture=yes traceFile="C:\tracefile"
   
   Trace configuration:
   -------------------------------------------------------------------
   Status:             Running
   Trace File:         C:\tracefile
   Append:             Off
   Circular:           On
   Max Size:           250 MB
   Report:             Off
   

3. Run what ever client (or server) application is needed
4. Stop tracing

c:\>netsh trace stop
Correlating traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as
"C:\tracefile.cab".
File location = C:\tracefile
Tracing session was successfully stopped.

5. Extract out the report.etl file, note the dot at the end of the command line. This is an indication that the report.etl file should be written to the current directory.

   c:\>expand tracefile.cab -F:report.etl .
   Microsoft (R) File Expansion Utility  Version 6.1.7600.16385
   Copyright (c) Microsoft Corporation. All rights reserved.
   
   Adding .\report.etl to Extraction Queue
   
   Expanding Files ....
   
   Expanding Files Complete ...
   

6. Start Message Analyzer and load the report.etl file. This may take a few minutes.
7. Once the report.etl file has been loaded
   • Select File/Save As
   • and then select the export button which will bring up a save dialog box where you can specify the location and file name. The file suffix will be cap, and that is a standard PCAP file readable by Wireshark.
   Or
   • Or you can use Message Analyzer to look at the trace. You can find more details about Message Analyzer here.

This page was last modified on 15-04-05

Send comments and suggestions
to noah@noahdavids.org