page contents

About the Post

Author Information

HOW TO: Gather a packet capture without installing WireShark

In yesterday’s article, I talked about using MessageAnalyzer (successor to Microsoft Network Monitor) to open network files with no known extensions and then exporting the file in a format that Wireshark can use to present the data.

As stated in last week’s article, I mentioned that “networking issues can be a more difficult topic to troubleshoot with someone remotely, since most of the conversation may feel like we have 2 people talking a completely different language. I am not sure why, but people really get uncomfortable typing basic commands or even running a packet capture with WireShark, even though there are a lot of great and helpful Youtube videos. We just make better decisions when we have data that supports our theory, so I do my best to gather it.”

Today, I want to go over how you can gather a network packet capture without installing any packet sniffer software like WireShark or NetMon. On Windows Server 2008 and later, you can use netsh
to gather a network trace.

Without installing any software, open a cmd prompt and type the following:

netsh trace start capture=yes scenario=internetclient maxsize=4096 report=yes tracefile=test3.etl ipv4.address=50.112.99.14

Note: 50.112.99.14 (Destination IP address) is my IP address for the web server for my blog.


Next after you start the trace, open the web browser and type in smattie.com. (or the destination that you are trying to access)


This is a key point that you need to start the trace, then attempt to access the destination, so that we can see the 3 way TCP handshake. (SYN, SYN/ACK, ACK)


When you are done testing, then type netsh trace stop to end the trace. It will save the files as seen here:


Here are the files from the trace:


Now you can right click them and notice that MessageAnalyzer sees them:


Notice how MessageAnalyzer sees my destination:


Now it will load in MessageAnalyzer and then you can export it.


Then you can save it a cap file:


Then you can open that file with Wireshark:


Further reading

Blog: http://blogs.technet.com/b/messageanalyzer/

Tutorial: http://technet.microsoft.com/en-us/library/jj714801.aspx

Download: http://www.microsoft.com/en-us/download/details.aspx?id=40308

Tags: , , , , , ,

Comments are closed.

Copy Protected by Chetan's WP-Copyprotect.