How to capture traffic with no Wireshark using netsh

From Tech-Wiki
Revision as of 20:12, 15 November 2017 by Fabricio.Lima (Talk | contribs) (Created page with "Category:Microsoft '''Back to Misc''' To start a packet capture (sniffer) in Windows (any version above 7), just use the command below: C:\>netsh tr...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Back to Misc


To start a packet capture (sniffer) in Windows (any version above 7), just use the command below: 

C:\>netsh trace start capture=yes IPv4.Address=192.168.122.2

the output will be in .ETL format which can be read by Microsoft's Message Analyzer 1.4 or Network Monitor 3.4 (and allows you to save in .pcap format)

You can also convert to .pcap using PowerShell 

$s = New-PefTraceSession -Path “C:\temp\OutFile.Cap” -SaveOnStop
$s | Add-PefMessageProvider -Provider “C:\temp\Input.etl”
$s | Start-PefTraceSession
Retrieved from ‘http://tech-wiki.net/index.php?title=How_to_capture_traffic_with_no_Wireshark_using_netsh&oldid=1084