Jump to content
We have recently updated our Privacy Statement, available here ×
  • Capturing network packets on Windows machines when using Wireshark is not an option

    Kurian Kuruvilla

    Wireshark is a convenient tool for capturing network packets on Windows machines but it is generally not installed on Production machines. This article lists a couple of alternatives.

    Packet Monitor (pktmon)

    Documentation - https://docs.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon
    To start packet capture -

    pktmon start -c -f E:\temp\PktMon.etl


    To stop packet capture -

    pktmon stop


    To convert the output file to pcapng format so that it can be opened in Wireshark -

    pktmon etl2pcap <output file from the previous step> 



    Documentation - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11)

    To start packet capture -

    netsh trace start capture=yes tracefile=E:\temp\PktMon.etl


    To stop packet capture -

    netsh trace stop


    To convert the output file to pcapng format so that it can be opened in Wireshark, use etl2pcapng.exe from https://github.com/microsoft/etl2pcapng.

    etl2pcapng.exe Netsh.etl Netsh.pcapng


    • Like 1

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...