Network Packet Trace with Netsh and analysis with Wireshark

So when you are working on a production workload and something is not right with the network on that Windows VM, what do you do? Wireshark to the rescue? well no… not quite, I wouldn’t install that on a production server since it installs WinPcap/NpCap which is an NDIS filter driver on the network card. Secondly, I might be working in a pretty locked down environment where I might not have access to download and install wireshark at all, and why should I since I have built-in functionality in Windows?

In Windows there is a feature called netsh  which is a command-line scripting utility that allows you to display or modify the network configuration of a computer. It can also be used to collect network packet traces.

netsh can be configured using the following commands to generate a network trace on a specific Windows VM

netsh trace start capture=yes tracefile=c:\net.etl persistent=yes maxsize=4096

(NOTE: With the persistent=yes it means that the traffic capture will persist after reboots and will only stop when someone runs a netsh stop command)

One issue with Netsh is that it generated ETL files, which are not a file format that Wireshark supports. Luckily, someone from Microsoft has created a CLI tool called etl2pcapng which does the conversion from ETL to PCAP, which can be found here –> microsoft/etl2pcapng: Utility that converts an .etl file containing a Windows network packet capture into .pcapng format. (github.com)

Then by running the command line tool

etl2pcapng.exe in.etl out.pcapng

And voila! happing traffic inspecting!

Leave a Reply

Scroll to Top