In some instances, you may need to collect tcpdump in windows cell as part of troubleshooting work. This can be done with the netsh command and then imported to the wireshark.

Sometimes you might hits a network interruption, as a result the bosh ssh connection is terminated and the temporary SSH user is gone. In addition, the collected tcpdump data is lost. 

Note: The data collection is still in progress even the after network interruption happens.

This KB article covers how to create a user and collect tcpdump data.

1. bosh ssh into the Windows cell.

2. Create a new admin user, test/Changeme1!:

bosh_933xxxx6@WIN-xxxxx C:\Users\bosh_933xxxx6>net user /add test Changeme1!
The command completed successfully.
bosh_933xxxx6@WIN-xxxxx C:\Users\bosh_933xxxx6>net localgroup administrators test /add
The command completed successfully.

3. Exit from bosh ssh and log in using the new admin user.

bosh_933xxxx6@WIN-xxxxx C:\Users\bosh_933xxxx6>exit
Connection to 10.xxx.xxx.83 closed.

Succeeded
(name)MBP:Downloads (name)$ ssh test@10.xxx.xxx.83
test@10.xxx.xxx.83's password:

4. Capture the network trace under the new user.

test@WIN-xxxxx C:\Users\test>netsh trace start capture=yes
Trace configuration:
-------------------------------------------------------------------
Status: Running
Trace File: C:\Users\test\AppData\Local\Temp\NetTraces\NetTrace.etl
Append: Off
Circular: On
Max Size: 250 MB
Report: Off

5. As a test, disconnect or exist from the current session. Then ssh into the windows cell again.

test@WIN-xxxxx C:\Users\test>exit
Connection to 10.xxx.xxx.83 closed.
(name)MBP:Downloads (name)$ ssh test@10.xxx.xxx.83
test@10.xxx.xxx.83's password: 

6. You can see the trace collection is still in progress:

test@WIN-xxxxx C:\Users\test>netsh trace show status
Status: Running
Trace File: C:\Users\test\AppData\Local\Temp\NetTraces\NetTrace.etl
Append: Off
Circular: On
Max Size: 250 MB
Report: Off
Provider:
Name: Microsoft-Windows-NDIS-PacketCapture
Provider Guid: {2ED6006E-xxxx-xxxx-xxxx-3EE7BCD678EF}
Level: 4 (win:Informational)
Keywords: 0xFFFFFFFFFFFFFFFF (Ethernet802.3,WirelessWAN,Tunnel,Native802.11,VMSwitch,PacketTruncated,PacketStart,PacketEnd,ut:SendPath,ut:Receiv
ePath,ut:L3ConnectPath,ut:L2ConnectPath,ut:ClosePath,ut:Authentication,ut:Configuration,ut:Global,ut:Dropped,ut:PiiPresent,ut:Packet,ut:Address,ut:StdTemp
lateHint,ut:StateTransition,win:ResponseTime,Microsoft-Windows-NDIS-PacketCapture/Diagnostic,xxxxx,xxxxx,xxxxx...)

7. Stop the data collection and note the two generated trace files.

test@WIN-xxxxx C:\Users\test>netsh trace stop
Merging traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as "C:\Users\test\AppData\Local\Temp\NetTraces\NetTrace.cab".
File location = C:\Users\test\AppData\Local\Temp\NetTraces\NetTrace.etl
Tracing session was successfully stopped.

8. Then transfer these two files to a Windows PC and convert them with Microsoft message analyzer. The converted file can be used in wireshark.