Packet capture, built in to Windows

microscope

Sometimes when you are working in secure environments, you can’t just go installing software. But if you need a packet capture, and it’s a windows server, then what? If you can’t install Wireshark, then you can use Microsoft Network Monitor.

The capturing is done via a command-line tool. Once you export the file, then you have to use some Microsoft software to analyse it – it’s very similar to Wireshark in functionality, but uses a “.etl” file instead of a pcap.

To get the capture, launch a command prompt with admin rights, and enter the following sequence of commands:

netsh
trace
start scenario=LAN capture=yes

Do whatever you need to capture, and enter:

stop

It will give you the location of the .etl file. If you enter “show scenarios”, that will show you some other things you can trace against, but for everything I’ve ever needed, LAN has been sufficient.

Export the file over RDP shared folders or whatever means you like, and then open it on your machine using Microsoft Network Monitor – available at: http://www.microsoft.com/en-us/download/details.aspx?id=4865

When I first installed this program, I had to change a setting to make it work properly: Go to Tools / Options / Parser Profiles, right click on “Windows” and select “Set as Active”.

I’d still much prefer a pcap, but in a pinch this has helped.

Posted in Uncategorized.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.