Starting with Windows 7 and Windows Server 2008 R2 it is possible to capture packets without having to download something like Wireshark. It is not possible to read the traces (without downloading something) but capturing the packets for off system analysis can be useful. One word of caution, this native tool captures packets in Event Trace Log (ETL) format, not PCAP or PCAPNG format; you will need to have the Message Analyzer tool available to either analyze the packets or convert the trace file to PCAP format. Also I have not been able to get the ETL to PCAP conversion to work when the network device is wireless.
The following is a simple step by step procedure, see Using Netsh to Manage Traces for more details.
c:\>netsh trace start capture=yes traceFile="C:\tracefile" Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\tracefile Append: Off Circular: On Max Size: 250 MB Report: Off
c:\>netsh trace stop Correlating traces ... done Generating data collection ... done The trace file and additional troubleshooting information have been compiled as "C:\tracefile.cab". File location = C:\tracefile Tracing session was successfully stopped.
c:\>expand tracefile.cab -F:report.etl . Microsoft (R) File Expansion Utility Version 6.1.7600.16385 Copyright (c) Microsoft Corporation. All rights reserved. Adding .\report.etl to Extraction Queue Expanding Files .... Expanding Files Complete ...