Capture a Network Trace without installing anything
If you want to capture a network trace of a server without installing Wireshark or Netmon ,use command tool netsh trace
Note: This feature works on Windows 7/2008 R2 and above.
C:\>netsh trace start /?
start Starts tracing.
Usage: trace start [[scenario=]<scenario1,scenario2>] [[globalKeywords=]keywords] [[globalLevel=]level] [[capture=]yes|no] [[report=]yes|no] [[persistent=]yes|no] [[traceFile=]path\filename] [[maxSize=]filemaxsize] [[fileMode=]single|circular|append] [[overwrite=]yes|no] [[correlation=]yes|no|disabled] [capturefilters] [[provider=]providerIdOrName] [[keywords=]keywordMaskOrSet] [[level=]level] [[provider=]provider2IdOrName] [[keywords=]keyword2MaskOrSet] [[level=]level2] …
Defaults: capture=no (specifies whether packet capture is enabled in addition to trace events) report=no (specifies whether a complementing report will be generated along with the trace file) persistent=no (specifies whether the tracing session continues across reboots, and is on until netsh trace stop is issued) maxSize=250 MB (specifies the maximum trace file size, 0=no maximum) fileMode=circular overwrite=yes (specifies whether an existing trace output file will be overwritten) correlation=yes (specifies whether related events will be correlated and grouped together) traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl (specifies location of the output file)
Provider keywords default to all and level to 255 unless otherwise specified.
netsh trace start scenario=InternetClient capture=yes
Starts tracing for the InternetClient scenario and dependent providers with packet capture enabled. Tracing will stop when the “netsh trace stop” command is issued or when the system reboots. Default location and name will be used for the output file. If an old file exists, it will be overwritten.
netsh trace start provider=microsoft-windows-wlan-autoconfig keywords=state,ut:authentication
Starts tracing for the microsoft-windows-wlan-autoconfig provider Tracing will stop when the “netsh trace stop” command is issued or when the system reboots. Default location and name will be used for the output file. If an old file exists, it will be overwritten. Only events with keyword ‘state’ or ‘ut:authentication’ will be logged.
netsh trace show provider command can be used to display supported keywords and levels.
Capture Filters: Capture filters are only supported when capture is explicitly enabled with capture=yes. Use ‘netsh trace show CaptureFilterHelp’ to display a list of supported capture filters and their usage.
After it copied to a system which is installed netmon is more appropriate to view the data.*.etl as a file to open as if it was an .cap file from a traditional trace.
go to the tools > options tab so that you can tell netmon which parsers to use to convert the trace
Choose the Windows parsers and dont forget to click “set as active” before you click OK or nothing will happen. The output is ready for analyse