Difference between revisions of "How to capture traffic with no Wireshark using netsh"
From Tech-Wiki
| Line 19: | Line 19: | ||
$s | Add-PefMessageProvider -Provider “C:\temp\capture.etl” | $s | Add-PefMessageProvider -Provider “C:\temp\capture.etl” | ||
$s | Start-PefTraceSession | $s | Start-PefTraceSession | ||
| + | |||
| + | Or use [etl2ngcap|https://github.com/microsoft/etl2pcapng] utility | ||
Revision as of 20:05, 22 August 2023
To start a packet capture (sniffer) in Windows (any version above 7), just use the command below:
C:\>netsh trace start capture=yes IPv4.Address=192.168.122.2 tracefile=c:\temp\capture.etl
To stop it, use:
C:\>netsh trace stop
the output will be in .ETL format which can be read by Microsoft's Message Analyzer 1.4 or Network Monitor 3.4 (and allows you to save in .pcap format)
You can also convert to .pcap using PowerShell
$s = New-PefTraceSession -Path “C:\temp\OutFile.Cap” -SaveOnStop $s | Add-PefMessageProvider -Provider “C:\temp\capture.etl” $s | Start-PefTraceSession
Or use [etl2ngcap|https://github.com/microsoft/etl2pcapng] utility