Collect a network trace without installing Wireshark

Quite often when at a client site it is necessary to collect a sample of network traffic for analysis.  However some clients do not want Wireshark or any 3rd party utilities installed.  Fortunately this can be achieved using netsh.

This is made possible using ETW or event tracing for Windows, it helps you capture traffic for specific scenarios.  You can list the scenarios using:

netsh trace show scenarios

To start a network trace and capture the traffic to a file run the below. Be careful with the size of the file, this is in MB and can fill your disk in seconds if you’re not careful!

netsh trace start capture=yes tracefile=c:\temp\net.etl persistent=yes maxsize=500

The options used are as follows:

capture =yes (ensures network trace is captured)
persistent =yes (specifies whether the tracing session continues across reboots, and is on until netsh trace stop is issued)
tracefile= %LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl(specifies location of the output file, default is present here)

To stop the trace simply run:

netsh trace stop

To view the resulting file download the Microsoft Message Analyzer.

Here are complete list of parameters you can use:

Usage:

trace start [[scenario=]<scenario1,scenario2>]
[[globalKeywords=]keywords] [[globalLevel=]level]
[[capture=]yes|no] [[report=]yes|no]
[[persistent=]yes|no] [[traceFile=]path\filename]
[[maxSize=]filemaxsize] [[fileMode=]single|circular|append]
[[overwrite=]yes|no] [[correlation=]yes|no|disabled] [capturefilters]
[[provider=]providerIdOrName] [[keywords=]keywordMaskOrSet]
[[level=]level] [[provider=]provider2IdOrName]
[[keywords=]keyword2MaskOrSet] [[level=]level2] …

Defaults:
capture=no (specifies whether packet capture is enabled in addition to trace events)
report=no (specifies whether a complementing report will be generated along with the trace file)
persistent=no (specifies whether the tracing session continue across reboots, and is on until netsh trace stop is issued)
maxSize=250 MB (specifies the maximum trace file size, 0=no maximum)
fileMode=circular
overwrite=yes (specifies whether an existing trace output file will be overwritten)
correlation=yes (specifies whether related events will be correlated and grouped together)
traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl
(specifies location of the output file)

Provider keywords default to all and level to 255 unless otherwise specified.

For example:

netsh trace start scenario=InternetClient capture=yes

Starts tracing for the InternetClient scenario and dependent providers with packet capture enabled.
Tracing will stop when the “netsh trace stop” command is issued or when the system reboots. Default location and name will be used for the output file. If an old file exists, it will be overwritten.

netsh trace start provider=microsoft-windows-wlan-autoconfig
keywords=state,ut:authentication

Starts tracing for the microsoft-windows-wlan-autoconfig provider. Tracing will stop when the “netsh trace stop” command is issued or when the system reboots.
Default location and name will be used for the output file. If an old file exists, it will be overwritten.
Only events with keyword ‘state’ or ‘ut:authentication’ will be logged.

netsh trace show provider command can be used to display supported keywords and levels.

Capture Filters:
Capture filters are only supported when capture is explicitly enabled with capture=yes. Use ‘netsh trace show CaptureFilterHelp’to display a list of supported capture filters and their usage.

The levels are as follows:

1 – Critical – Only critical events will be shown.
2 – Errors – Critical events and errors will be shown.
3 –Warnings – Critical events, errors, and warnings will be shown.
4 –Informational – Critical events, errors, warnings, and informational events will be shown.
5 – Verbose – All events will be shown.