Difference between revisions of "How to capture traffic with no Wireshark using netsh"
From Tech-Wiki
| Line 5: | Line 5: | ||
To start a packet capture (sniffer) in Windows (any version above 7), just use the command below: | To start a packet capture (sniffer) in Windows (any version above 7), just use the command below: | ||
| − | C:\>netsh trace start capture=yes IPv4.Address=192.168.122.2 | + | C:\>netsh trace start capture=yes IPv4.Address=192.168.122.2 tracefile=c:\temp\capture.etl |
To stop it, use: | To stop it, use: | ||
| Line 17: | Line 17: | ||
$s = New-PefTraceSession -Path “C:\temp\OutFile.Cap” -SaveOnStop | $s = New-PefTraceSession -Path “C:\temp\OutFile.Cap” -SaveOnStop | ||
| − | $s | Add-PefMessageProvider -Provider “C:\temp\ | + | $s | Add-PefMessageProvider -Provider “C:\temp\capture.etl” |
$s | Start-PefTraceSession | $s | Start-PefTraceSession | ||
Revision as of 19:53, 7 February 2019
To start a packet capture (sniffer) in Windows (any version above 7), just use the command below:
C:\>netsh trace start capture=yes IPv4.Address=192.168.122.2 tracefile=c:\temp\capture.etl
To stop it, use:
C:\>netsh trace stop
the output will be in .ETL format which can be read by Microsoft's Message Analyzer 1.4 or Network Monitor 3.4 (and allows you to save in .pcap format)
You can also convert to .pcap using PowerShell
$s = New-PefTraceSession -Path “C:\temp\OutFile.Cap” -SaveOnStop $s | Add-PefMessageProvider -Provider “C:\temp\capture.etl” $s | Start-PefTraceSession