search cancel

Capture a network trace without installing Wireshark


Article ID: 213208


Updated On:


Endpoint Protection Data Loss Prevention


Obtaining a network packet capture or trace without installing Wireshark onto the system.


Windows 7/8.x/10 all releases

Windows Server 2008 R2/2012/2012 R2/2016/2019

SEP 14.x

DLP 15.X and 16.0


You can use the following "netsh" command to generate a packet capture and have it continue on reboot.

  • Launch an elevated command prompt using the Run As Administrator option
  • Enter the following command and press Enter

netsh trace start capture=yes report=yes tracefile=C:\temp\tracefile.etl persistent=yes

  • The trace configuration will be displayed similar to the following:
C:\Windows\system32>netsh trace start capture=yes report=yes tracefile=C:\temp\tracefile.etl
Trace configuration:
Status:             Running
Trace File:         C:\temp\tracefile.etl
Append:             Off
Circular:           On
Max Size:           250 MB
Report:             On

  • Reboot the system if needed.
  • To stop the trace launch an elevated command prompt and type "netsh trace stop".  This will create two files and tracefile.etl. File names and location will be displayed in command prompt window after data collection is finished.
  • Zip up the files and upload them to the support case.
  • You can use Etl2Pcapng to convert it to pcap file that can then be read with Wireshark.


Additional Information

The following Microsoft links have more information on this topic.