Start Trace
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl maxsize=8192 filemode=circular report=disabled
Examples:
Capture only one ip:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl IPv4.Address=192.168.1.10 report=disabled
Capture multiple ips:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl IPv4.Address=(192.168.1.10,192.168.1.11) report=disabled
Capture only TCP-traffic:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl Protocol=TCP report=disabled
Capture all excluding one ip:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl IPv4.Address=!(192.168.1.10) report=disabled
Capture across reboots:
netsh trace start capture=yes tracefile=c:\temp\testtrace.etl report=disabled persistent=yesStop Trace
netsh trace stopConvert *.etl-File to *.pcapng for wireshark analysis
Download etl2pcapng from here:
https://github.com/microsoft/etl2pcapng
Convert the file with the following command
etl2pcapng.exe testtrace.etl testtrace.pcapngOther useful filters
You can list filter options using:
netsh trace show capturefilterhelpIPv4.SourceAddress=192.168.1.5
IPv4.DestinationAddress=192.168.1.10
Ethernet.Type=IPv4
Protocol=(UDP,TCP)
Ethernet.Address=00-11-22-33-44-55
Ethernet.SourceAddress=00-11-22-33-44-55
Ethernet.DestinationAddress=00-11-22-33-44-55
CaputreInterface="Local Area Connection"
Wifi.Type=Management
Wifi.Type=Data
IPv6.Address=fe80::1234:5678:9101:1121\%8 #IPv6.SourceAddress, IPv6.DestinationAddress also working
Leave a Reply