Capturing Network Traffic on Windows Server Hosts using Built-in Tools (KBA9487)

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies

Major Release	All Sub Releases
All	All

How to Capture Network Traffic Using Built-in Windows Server Tools

If a network packet capture is required from a Windows host but it is not possible to install Wireshark on the host, the capture can be performed using the Windows Server netsh (Network Shell) utility.

On Windows Server 2008 R2 and later, the netsh utility has a trace command that allows packets to be captured on a specified network interface.

1. List the network interfaces that are available for tracing:

PS C:\> netsh trace show interfaces

Ethernet adapter Ethernet:
    Description:     vmxnet3 Ethernet Adapter
    Interface GUID:  {ADED41D1-F51E-45AE-8F37-B9B8C50F8B3E}
    Interface Index: 11
    Interface Luid:  0x6008001000000

In this example, there is only a single network interface available for tracing.

2. Start the network trace using the netsh trace start command, specifying options for the tracing session.  The command below will capture the first 300 bytes of each packet sent to or from host 10.1.2.3, into a single output file with a maximum output file size of 750MB.  In this example, the captureType is configured for a physical interface, rather than a Hyper-V virtual switch, and separate report generation is disabled.

PS C:\Users\delphix> netsh trace start capture=yes report=disabled captureType=physical maxSize=750 fileMode=single CaptureInterface="{ADED41D1-F51E-45AE-8F37-B9B8C50F8B3E}" IPv4.Address=10.1.2.3 PacketTruncateBytes=300

Trace configuration:
-------------------------------------------------------------------
Status:             Running
Trace File:         C:\Users\delphix\AppData\Local\Temp\NetTraces\NetTrace.etl
Append:             Off
Circular:           Off
Max Size:           Off
Report:             Off

The available options for filtering the captured packets are limited.  netsh provides the ability to filter based on IP address or MAC address but not on TCP port.  For help with capture filters, run the following command.

PS C:\> netsh trace show capturefilterhelp

  Capture Filters:
        Capture filters are only supported when capture is explicitly
        enabled with capture=yes. Supported capture filters are:

        CaptureInterface=<interface name or GUID>
         Enables packet capture for the specified interface name or GUID. Use
         'netsh trace show interfaces' to list available interfaces.
        e.g. CaptureInterface={716A7812-4AEE-4545-9D00-C10EFD223551}
        e.g. CaptureInterface=!{716A7812-4AEE-4545-9D00-C10EFD223551}
        e.g. CaptureInterface="Local Area Connection"
...

3. Stop the trace with the following command.  By default, the trace file is saved into the AppData\Local\Temp\NetTraces directory of the current user as NetTrace.etl.

PS C:\Users\delphix> netsh trace stop
Merging traces ... done
File location = C:\Users\delphix\AppData\Local\Temp\NetTraces\NetTrace.etl
Tracing session was successfully stopped.

4. To analyse the trace file in Wireshark, it must first be converted to the .pcapng file format.  Microsoft provides a utility to perform the conversion - etl2pcapng.exe - that can be downloaded from https://github.com/microsoft/etl2pcapng.
   Run etl2pcapng.exe against the NetTrace.etl file, providing the name to use for the converted file as the second argument, in this case NetTrace.pcapng.

PS C:\Users\delphix\Downloads\etl2pcapng\etl2pcapng\x64> .\etl2pcapng.exe C:\Users\delphix\AppData\Local\Temp\NetTraces\NetTrace.etl NetTrace.pcapng
IF: medium=eth                  ID=0    IfIndex=11      VlanID=0
Converted 4524 frames

The converted NetTrace.pcapng file can then be opened in Wireshark.