Create Packet-Capture with Windows netsh

Leave a comment

Start Trace

netsh trace start capture=yes tracefile=c:\temp\testtrace.etl maxsize=8192 filemode=circular report=disabled

Examples:
Capture only one ip:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl IPv4.Address=192.168.1.10 report=disabled

Capture multiple ips:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl IPv4.Address=(192.168.1.10,192.168.1.11) report=disabled

Capture only TCP-traffic:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl Protocol=TCP report=disabled

Capture all excluding one ip:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl IPv4.Address=!(192.168.1.10) report=disabled

Capture across reboots:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl report=disabled persistent=yes

Stop Trace

netsh trace stop

Convert *.etl-File to *.pcapng for wireshark analysis

Download etl2pcapng from here:

https://github.com/microsoft/etl2pcapng

Convert the file with the following command

etl2pcapng.exe testtrace.etl testtrace.pcapng

Other useful filters

You can list filter options using:

netsh trace show capturefilterhelp
IPv4.SourceAddress=192.168.1.5
IPv4.DestinationAddress=192.168.1.10
Ethernet.Type=IPv4
Protocol=(UDP,TCP)
Ethernet.Address=00-11-22-33-44-55
Ethernet.SourceAddress=00-11-22-33-44-55
Ethernet.DestinationAddress=00-11-22-33-44-55
CaputreInterface="Local Area Connection"
Wifi.Type=Management
Wifi.Type=Data
IPv6.Address=fe80::1234:5678:9101:1121\%8                    #IPv6.SourceAddress, IPv6.DestinationAddress also working

Leave a Reply

Your email address will not be published. Required fields are marked *