How to Capture Network Traces Using Netsh Without Installing Extra Tools
Introduction:
I recently wrote a blog that has detail of how to capture the network traces from Client and Server via Wireshark. You can refer to that here.
Now, One of the challenges server support teams face is that Wireshark needs to be installed on both the client and server machines. Since many servers host critical applications, installing new tools during business hours is often avoided, or server admins need special approval to install them. So instead of installing new software, why not use a tool that already comes with Windows? This time, we’ll use the built-in Netsh utility.
About Netsh:
Netsh is a simple command-line tool that helps you view and change your computer’s network settings. You can use Netsh by typing commands in the Netsh command prompt, and you can also include these commands in scripts or batch files to automate tasks. Netsh works for both your local computer and remote computers. One useful feature of Netsh is that it lets you create a script with several commands, which you can then run all at once on a specific computer. You can also save these scripts in a text file to use later or to apply the same settings to other computers.
Let’s go capture the problem with Netsh.
We will follow basically the three steps to collect the network traces with Netsh.
Start command to start the capture.
Reproduce the issue.
Stop the command and let it collect the events, and zip.
Starting the trace collection:
Open an Administrative Command Prompt or an Administrative PowerShell console: open the Start menu and type CMD or PowerShell in the search bar, then right-click the command prompt or PowerShell and select Run as Administrator.
Run the following command to start the network capture
netsh trace start scenario=netconnection,WFP-IPsec maxSize = 1024 fileMode =circular Persistent=yes capture=yes report=yes tracefile=c:Clientside.etl
If you don’t specify the tracefile parameter, the default location is %LOCALAPPDATA%TempNetTraces
Like this:
Once you have run the command, immediately go and reproduce the issue you are trying to investigate multiple times.
Now you have the issue reproduced and netsh must have data captured, now its time to command it to stop and merge those events for us.
Run the stop command:
Netsh trace stop
This has been done on Client machine, but if you are troubleshooting something to trace the communication between Client And IIS Server(or any host), then same commands should be run on Server with just the filename as ServerSide.etl for visible secretion of Client and Server.
If you see one additional file created with an extension of .cab, don’t worry about this one. As this just holds some related diagnostic information and compresses that information into a CAB file.
This would generate the ClientSide.etl file which can be opened with Network analyzer tools like NetMon to validate and analyze for the comprehensive review to troubleshoot.
But what if you want to go ahead and try it on your own with Wireshark. And Wireshark does not read .etl files. You can go try the Open source tool etl2pcapng from the Official Microsoft Github repository and convert this etl to pcap and let Wireshark to read it.
Looking for more information about the Netsh? Please refer to the official Microsoft documentation here.
Netsh Command Syntax, Contexts, and Formatting | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More