Capturing Network Traffic on Windows Server Hosts using Built-in Tools (KBA9487)
KBA
KBA# 10081Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases All All
How to Capture Network Traffic Using Built-in Windows Server Tools
If a network packet capture is required from a Windows host but it is not possible to install Wireshark on the host, the capture can be performed using the Windows Server netsh
(Network Shell) utility.
On Windows Server 2008 R2 and later, the netsh
utility has a trace
command that allows packets to be captured on a specified network interface.
- List the network interfaces that are available for tracing:
PS C:\> netsh trace show interfaces Ethernet adapter Ethernet: Description: vmxnet3 Ethernet Adapter Interface GUID: {ADED41D1-F51E-45AE-8F37-B9B8C50F8B3E} Interface Index: 11 Interface Luid: 0x6008001000000
In this example, there is only a single network interface available for tracing.
- Start the network trace using the
netsh trace start
command, specifying options for the tracing session. The command below will capture the first 300 bytes of each packet sent to or from host 10.1.2.3, into a single output file with a maximum output file size of 750MB. In this example, the captureType is configured for a physical interface, rather than a Hyper-V virtual switch, and separate report generation is disabled.
PS C:\Users\delphix> netsh trace start capture=yes report=disabled captureType=physical maxSize=750 fileMode=single CaptureInterface="{ADED41D1-F51E-45AE-8F37-B9B8C50F8B3E}" IPv4.Address=10.1.2.3 PacketTruncateBytes=300 Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\Users\delphix\AppData\Local\Temp\NetTraces\NetTrace.etl Append: Off Circular: Off Max Size: Off Report: Off
The available options for filtering the captured packets are limited. netsh
provides the ability to filter based on IP address or MAC address but not on TCP port. For help with capture filters, run the following command.
PS C:\> netsh trace show capturefilterhelp Capture Filters: Capture filters are only supported when capture is explicitly enabled with capture=yes. Supported capture filters are: CaptureInterface=<interface name or GUID> Enables packet capture for the specified interface name or GUID. Use 'netsh trace show interfaces' to list available interfaces. e.g. CaptureInterface={716A7812-4AEE-4545-9D00-C10EFD223551} e.g. CaptureInterface=!{716A7812-4AEE-4545-9D00-C10EFD223551} e.g. CaptureInterface="Local Area Connection" ...
- Stop the trace with the following command. By default, the trace file is saved into the AppData\Local\Temp\NetTraces directory of the current user as
NetTrace.etl
.
PS C:\Users\delphix> netsh trace stop Merging traces ... done File location = C:\Users\delphix\AppData\Local\Temp\NetTraces\NetTrace.etl Tracing session was successfully stopped.
- To analyse the trace file in Wireshark, it must first be converted to the .pcapng file format. Microsoft provides a utility to perform the conversion - etl2pcapng.exe - that can be downloaded from https://github.com/microsoft/etl2pcapng.
Runetl2pcapng.exe
against theNetTrace.etl
file, providing the name to use for the converted file as the second argument, in this caseNetTrace.pcapng
.
PS C:\Users\delphix\Downloads\etl2pcapng\etl2pcapng\x64> .\etl2pcapng.exe C:\Users\delphix\AppData\Local\Temp\NetTraces\NetTrace.etl NetTrace.pcapng IF: medium=eth ID=0 IfIndex=11 VlanID=0 Converted 4524 frames
The converted NetTrace.pcapng
file can then be opened in Wireshark.
Related Articles
The following articles may provide more information or related information to this article: