Packet capture, built in to Windows

Thu 14 January 2016

Sometimes when you are working in secure environments, you can't just go installing software. But if you need a packet capture, and it's a windows server, then what? If you can't install Wireshark, then you can use Microsoft Network Monitor.

The capturing is done via a command-line tool. Once you export the file, then you have to use some Microsoft software to analyse it - it's very similar to Wireshark in functionality, but uses a ".etl" file instead of a pcap.

To get the capture, launch a command prompt with admin rights, and enter the following sequence of commands:

start scenario=LAN capture=yes

Do whatever you need to capture, and enter:


It will give you the location of the .etl file. If you enter "show scenarios", that will show you some other things you can trace against, but for everything I've ever needed, LAN has been sufficient.

Export the file over RDP shared folders or whatever means you like, and then open it on your machine using Microsoft Network Monitor - available at:

When I first installed this program, I had to change a setting to make it work properly: Go to Tools / Options / Parser Profiles, right click on "Windows" and select "Set as Active".

I'd still much prefer a pcap, but in a pinch this has helped.

Share this post

  • Share to Facebook
  • Share to Twitter
  • Share to Google+
  • Share to LinkedIn
  • Share by Email