/ Insights / Netsh Packet Captures Insights Netsh Packet Captures December 14, 2017 ConcurrencyA common troubleshooting step is collecting a packet capture to see what’s happening at the network level. Perhaps you’re trying to track down a port blocked by a firewall or a connection that just isn’t working right. For this, many people would install Wireshark, Microsoft Network Monitoring (netmon), or Microsoft Message Analyzer. However, Server 2008 R2 and newer includes the ability to collect packet captures using the native netsh tool without any additional installations. With many environments under strict change control, this is a quick and easy way to get what you need. Here, we’ll cover the process for collecting and analyzing a packet capture with netsh. PrerequisitesServer 2008 R2 or newer on the serverAdministrator access on the serverMicrosoft Message Analyzer installed on your client machine to analyze the fileNetsh outputs an ETL file that can only be analyzed by Microsoft Message Analyzer. You can use Message Analyzer to convert the ETL to a .cap file for use in Wireshark if desired. Run a TraceTo run a trace, open CMD as administrator, and run the following command:netsh trace start capture=yes report=no maxSize=512 traceFile=c:\temp\trace-output.etl Explanation of options:Netsh trace start – base command to start the tracecapture=yes – specifies that we want to capture packetsreport=no – specifies that we do not need an auto-generated HTML reportmaxSize=512 – sets the maximum trace file size to 512 MBtraceFile=c:\temp\trace-output.etl – specifies the file path you want to save the output to Besides these, there are some optional settings available:ipv4.address=x.x.x.x – this will limit the capture to a specific IP address (source or destination)persistent=yes – this will make the trace persist across reboots (by default they stop when the server is rebooted)scenario=<scenario> – netsh has a handful of built-in scenarios to automatically filer for specific types of traffic. Use the netsh trace show scenarios command to see what’s available.Starting and stopping a netsh trace session To stop the trace, run:netsh trace stopThis does not have to be run in the same CMD window as the trace session is not tied to the CMD session. Analyze the TraceTo analyze the resulting ETL file, follow these steps:Copy the file to your workstation that has Microsoft Message Analyzer installedOpen Microsoft Message AnalyzerOn the start page, click the Open button, find the ETL file you copied, and open itTo export the results to a .cap file that you can open with Wireshark (or other .cap viewer), click File > Save As > Export, and then choose where to save the .cap file to.To analyze the results directly in Message Analyzer, use these tips:Select Layout > Network > Network Monitor to show networking-related columnsEnter the filter “*Port == 80” (including the asterisk) to find all messages with a source or destination port of 80Enter the filter “ipv4.Address == 22.214.171.124” to find all messages with a source or destination IP address of 126.96.36.199There are many different view and filtering options available. The Field Chooser on the right will help you sort through them.Analyzing the trace output file in Microsoft Message Analyzer For more information about Netsh Packet Captures, see the official documentation.