Wireshark is a convenient tool for capturing network packets on Windows machines but it is generally not installed on Production machines. This article lists a couple of alternatives.
Packet Monitor (pktmon)
Documentation - https://docs.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon
To start packet capture -
pktmon start -c -f E:\temp\PktMon.etl
To stop packet capture -
pktmon stop
To convert the output file to pcapng format so that it can be opened in Wireshark -
pktmon etl2pcap <output file from the previous step>
Netsh
Documentation - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11)
To start packet capture -
netsh trace start capture=yes tracefile=E:\temp\PktMon.etl
To stop packet capture -
netsh trace stop
To convert the output file to pcapng format so that it can be opened in Wireshark, use etl2pcapng.exe from https://github.com/microsoft/etl2pcapng.
etl2pcapng.exe Netsh.etl Netsh.pcapng
- 1
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now