Ever wanted to do a pcap on a Windows server, but didn't have permission to install an app like Wireshark? Here's how you do it:
- Start an elevated command prompt or powershell terminal.
- Run `netsh trace start capture=yes tracefile=C:\temp\packetcapture.etl"
- Wait until you believe the desired packets have been captured or reproduce the issue you want to capture.
- Run `netsh trace stop`
- Your packet capture file will be in c:\temp called packetcapture.etl. You'll need to convert this into a file that Wireshark can open. In the past, you could open it with Microsoft Message Analyzer, but it isn't available anymore. You can use this tool to convert it. Simply download the release and run:
`etl2pcapng.exe in.etl out.pcapng`
Where in.etl points to the file output from your trace and out.pcapng points to the place where you want your output file to go.
There are filters you can apply to the netsh command if needed. But I've found the filtering in Wireshark to be easier/better.
No comments:
Post a Comment