/ Insights / Netsh Packet Captures Insights Netsh Packet Captures December 14, 2017 Concurrency A common troubleshooting step is collecting a packet capture to see what’s happening at the network level. Perhaps you’re trying to track down a port blocked by a firewall or a connection that just isn’t working right. For this, many people would install Wireshark, Microsoft Network Monitoring (netmon), or Microsoft Message Analyzer. However, Server 2008 R2 and newer includes the ability to collect packet captures using the native netsh tool without any additional installations. With many environments under strict change control, this is a quick and easy way to get what you need. Here, we’ll cover the process for collecting and analyzing a packet capture with netsh. Prerequisites Server 2008 R2 or newer on the server Administrator access on the server Microsoft Message Analyzer installed on your client machine to analyze the file Netsh outputs an ETL file that can only be analyzed by Microsoft Message Analyzer. You can use Message Analyzer to convert the ETL to a .cap file for use in Wireshark if desired. Run a TraceTo run a trace, open CMD as administrator, and run the following command:netsh trace start capture=yes report=no maxSize=512 traceFile=c:\temp\trace-output.etl Explanation of options: Netsh trace start – base command to start the trace capture=yes – specifies that we want to capture packets report=no – specifies that we do not need an auto-generated HTML report maxSize=512 – sets the maximum trace file size to 512 MB traceFile=c:\temp\trace-output.etl – specifies the file path you want to save the output to Besides these, there are some optional settings available: ipv4.address=x.x.x.x – this will limit the capture to a specific IP address (source or destination) persistent=yes – this will make the trace persist across reboots (by default they stop when the server is rebooted) scenario=<scenario> – netsh has a handful of built-in scenarios to automatically filer for specific types of traffic. Use the netsh trace show scenarios command to see what’s available. Starting and stopping a netsh trace session To stop the trace, run:netsh trace stopThis does not have to be run in the same CMD window as the trace session is not tied to the CMD session. Analyze the TraceTo analyze the resulting ETL file, follow these steps: Copy the file to your workstation that has Microsoft Message Analyzer installed Open Microsoft Message Analyzer On the start page, click the Open button, find the ETL file you copied, and open it To export the results to a .cap file that you can open with Wireshark (or other .cap viewer), click File > Save As > Export, and then choose where to save the .cap file to. To analyze the results directly in Message Analyzer, use these tips: Select Layout > Network > Network Monitor to show networking-related columns Enter the filter “*Port == 80” (including the asterisk) to find all messages with a source or destination port of 80 Enter the filter “ipv4.Address == 1.1.1.1” to find all messages with a source or destination IP address of 1.1.1.1 There are many different view and filtering options available. The Field Chooser on the right will help you sort through them. Analyzing the trace output file in Microsoft Message Analyzer For more information about Netsh Packet Captures, see the official documentation.
