Jump to content
We have recently updated our Privacy Statement, available here ×
  • Capturing network packets on Windows machines when using Wireshark is not an option


    Kurian Kuruvilla

    Wireshark is a convenient tool for capturing network packets on Windows machines but it is generally not installed on Production machines. This article lists a couple of alternatives.

    Packet Monitor (pktmon)

    Documentation - https://docs.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon
    To start packet capture -

    pktmon start -c -f E:\temp\PktMon.etl

    pktmonstart.jpeg.974db9ed5118a49044ee242a9f73507f.jpeg

    To stop packet capture -

    pktmon stop

    pktmonstop.jpeg.6ef7ee123303fccb0a26b212ed65e4c5.jpeg

    To convert the output file to pcapng format so that it can be opened in Wireshark -

    pktmon etl2pcap <output file from the previous step> 

    pktmonetl2pcap.jpeg.c3190ed73cdfecd8de2af368994b3537.jpeg

    Netsh

    Documentation - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11)

    To start packet capture -

    netsh trace start capture=yes tracefile=E:\temp\PktMon.etl

    netshstart.jpeg.953b97fee4eac1216cdaed92a0d27ec4.jpeg

    To stop packet capture -

    netsh trace stop

    netshstop.jpeg.318457923cced7689919b2e3dcd903bc.jpeg

    To convert the output file to pcapng format so that it can be opened in Wireshark, use etl2pcapng.exe from https://github.com/microsoft/etl2pcapng.

    etl2pcapng.exe Netsh.etl Netsh.pcapng

    etl2pcapng.jpeg.84f15fc294ce4039f9634297d5f284ea.jpeg

    • Like 1

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...