Capture a network trace without installing Wireshark
Article ID: 213208
Updated On:
Products
Endpoint Protection
Data Loss Prevention
Issue/Introduction
Obtaining a network packet capture or trace without installing Wireshark onto the system.
Environment
Windows 7/8.x/10 all releases
Windows Server 2008 R2/2012/2012 R2/2016/2019
SEP 14.x
DLP 15.X and 16.0
Resolution
You can use the following "netsh" command to generate a packet capture and have it continue on reboot.
- Launch an elevated command prompt using the Run As Administrator option
- Enter the following command and press Enter
netsh trace start capture=yes report=yes tracefile=C:\temp\tracefile.etl persistent=yes
- The trace configuration will be displayed similar to the following:
C:\Windows\system32>netsh trace start capture=yes report=yes tracefile=C:\temp\tracefile.etl
persistent=yes
persistent=yes
Trace configuration:
-------------------------------------------------------------------
Status: Running
Trace File: C:\temp\tracefile.etl
Append: Off
Circular: On
Max Size: 250 MB
Report: On
-------------------------------------------------------------------
Status: Running
Trace File: C:\temp\tracefile.etl
Append: Off
Circular: On
Max Size: 250 MB
Report: On
C:\Windows\system32>
- Reboot the system if needed.
- To stop the trace launch an elevated command prompt and type "netsh trace stop". This will create two files Tracefile.cab and tracefile.etl. File names and location will be displayed in command prompt window after data collection is finished.
- Zip up the files and upload them to the support case.
- You can use Etl2Pcapng to convert it to pcap file that can then be read with Wireshark.
Additional Information
The following Microsoft links have more information on this topic.
Feedback
Yes
No
Powered by
