Insights Netsh Packet Captures

Netsh Packet Captures

A common troubleshooting step is collecting a packet capture to see what’s happening at the network level.  Perhaps you’re trying to track down a port blocked by a firewall or a connection that just isn’t working right.  For this, many people would install Wireshark, Microsoft Network Monitoring (netmon), or Microsoft Message Analyzer.  However, Server 2008 R2 and newer includes the ability to collect packet captures using the native netsh tool without any additional installations.  With many environments under strict change control, this is a quick and easy way to get what you need.  Here, we’ll cover the process for collecting and analyzing a packet capture with netsh.

  • Server 2008 R2 or newer on the server
  • Administrator access on the server
  • Microsoft Message Analyzer installed on your client machine to analyze the file
    • Netsh outputs an ETL file that can only be analyzed by Microsoft Message Analyzer.  You can use Message Analyzer to convert the ETL to a .cap file for use in Wireshark if desired. 

Run a Trace
To run a trace, open CMD as administrator, and run the following command:
netsh trace start capture=yes report=no maxSize=512 traceFile=c:\temp\trace-output.etl
Explanation of options:

  • Netsh trace start – base command to start the trace
  • capture=yes – specifies that we want to capture packets
  • report=no – specifies that we do not need an auto-generated HTML report
  • maxSize=512 – sets the maximum trace file size to 512 MB
  • traceFile=c:\temp\trace-output.etl – specifies the file path you want to save the output to

Besides these, there are some optional settings available:

  • ipv4.address=x.x.x.x – this will limit the capture to a specific IP address (source or destination)
  • persistent=yes  – this will make the trace persist across reboots (by default they stop when the server is rebooted)
  • scenario=<scenario> – netsh has a handful of built-in scenarios to automatically filer for specific types of traffic.  Use the netsh trace show scenarios command to see what’s available.

Starting and stopping a netsh trace session
To stop the trace, run:
netsh trace stop
This does not have to be run in the same CMD window as the trace session is not tied to the CMD session.
Analyze the Trace
To analyze the resulting ETL file, follow these steps:

  1. Copy the file to your workstation that has Microsoft Message Analyzer installed
  2. Open Microsoft Message Analyzer
  3. On the start page, click the Open button, find the ETL file you copied, and open it
  4. To export the results to a .cap file that you can open with Wireshark (or other .cap viewer), click File > Save As > Export, and then choose where to save the .cap file to.
  5. To analyze the results directly in Message Analyzer, use these tips:
    1. Select Layout > Network > Network Monitor to show networking-related columns
    2. Enter the filter “*Port == 80” (including the asterisk) to find all messages with a source or destination port of 80
    3. Enter the filter “ipv4.Address ==” to find all messages with a source or destination IP address of
    4. There are many different view and filtering options available.  The Field Chooser on the right will help you sort through them.

Analyzing the trace output file in Microsoft Message Analyzer
For more information about Netsh Packet Captures, see the official documentation.