ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Capture a network trace without installing Wireshark

book

Article ID: 213208

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Obtaining a network packet capture or trace without installing Wireshark onto the system.

Environment

Windows 7/8.x/10 all releases

Windows Server 2008 R2/2012/2012 R2/2016/2019

SEP 14.x

Resolution

You can use the following "netsh" command to generate a packet capture and have it continue on reboot.

  • Launch an elevated command prompt using the Run As Administrator option
  • Enter the following command and press Enter

netsh trace start capture=yes report=yes tracefile=C:\temp\tracefile.etl persistent=yes

  • The trace configuration will be displayed similar to the following:
C:\Windows\system32>netsh trace start capture=yes report=yes tracefile=C:\temp\tracefile.etl
 persistent=yes
Trace configuration:
-------------------------------------------------------------------
Status:             Running
Trace File:         C:\temp\tracefile.etl
Append:             Off
Circular:           On
Max Size:           250 MB
Report:             On

C:\Windows\system32>
  • Reboot the system if needed.
  • To stop the trace launch an elevated command prompt and type "netsh trace stop".  This will create two files Tracefile.cab and tracefile.etl. File names and location will be displayed in command prompt window after data collection is finished.
  • Zip up the files and upload them to the support case.
  • You can use Etl2Pcapng to convert it to pcap file that can then be read with Wireshark.

 

Additional Information

The following Microsoft links have more information on this topic.

https://techcommunity.microsoft.com/t5/iis-support-blog/capture-a-network-trace-without-installing-anything-amp-capture/ba-p/376503

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/converting-etl-files-to-pcap-files/ba-p/1133297