How to collect a network capture without installing wireshark.

Release :

Component :

There is a windows builtin command you can use.  To start a capture on windows run the following:

netsh trace start capture=yes tracefile=c:\dlp.etl persistent=yes maxsize=100

The above command by default was create 2 files , dlp.etl and dlp.cab, on the root of the C drive.  You can modify this to any location and name.  This also sets the filesize to 100mb.  After this the file will roll over.

To stop the trace after reproducing the issue run:

netsh trace stop

Give this a few minutes as this takes a little while to compile the two files.  After this you can collect the two files and use a Microsoft utility to convert it into a pcap file to open in wireshark.

You can download the Microsoft utility (etl2pcapng) from the below link.

https://github.com/microsoft/etl2pcapng/

Once downloaded you can use the following syntax to convert it.

Lets use the above example where I have the dlp.etl and dlp.cab and I copy it where etl2pcapng file exists.  Here i would run:

etl2pcapng <input file> <outpu file>

etl2pcapng dlp.etl dlp.pcapng