Networking/Computing Tips/Tricks

A frequent visitor here will know that we have many articles discussing the netsh command line shell/scripting tool in Windows.  The tool was originally introduced in Win2K.  If you aren't a regular - just click on 'netsh' in the tag cloud to see them all.

This article discusses how you can use the 'netsh trace' function to actually perform a packet capture from the command line in Windows.  Technically this means you do not need a capture tool on a Windows machine other than the OS itself.

To analyze and view the packets, you need a tool, and our favorite is Wireshark, of course!

Here is how to use netsh to accomplish this task.  

[Note: you may need to use Run as Administrator to get your system to work correctly]

We begin by examining the help screen with the following command:

netsh trace start ?

netsh trace1


You can see there are many options.

To do a simple trace/capture we will use the following command:

netsh trace start capture=yes traceFile="c:\netsh_trace.cap"

netsh trace2

The capture will run in the background.

To stop the capture, use the following command:

netsh trace stop

It will take several minutes to close.  Be patient!

netsh trace3

If we go and look at my directory c:\ we see the file was saved as follows:

netsh trace4

And if we try to open either of them in Wireshark, we get the following error:

netsh trace5

So you have to use something like Microsoft Message Analyzer ( or the older Microsoft Network Monitor ( to open the file, and then you will be able to export it so you can analyze in Wireshark.

We hope this helps.  


Comments powered by CComment

The nicest thing you can do is use these inks to support us!  Thank you!

Support our research!  Buy me a coffee :)

Support our research. Become a Patron!

Find by Tag

4G Networks 5G Networks 6in4 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Addressing Analysis Ansible Architecture ARP AToM BGP Bloom's Taxonomy Broadband Cable cat CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud Coloring Rules Computer Consulting CPI Customer Support Data Center Data Networking DHCPv6 DNS Docker Documentation Dublin-Traceroute dumpcap ECMP Ethernet Ethics Fragmentation G-MPLS Git GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 Interface Control Internet IoT IPsec IPv4 IPv6 IS-IS L2VPN L3VPN LDP Linux LLN LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring MPLS MTU Multicast My Room Name Resolution Netcat Netmiko NetMon netsh Networking Network Science nmap Npcap Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Paris-Traceroute Parrot PIM pktmon PMTU Policy POTS POTS to Pipes PPP Profile Programming Project Management Protocol 41 PW3E Python QoS QUIC Remote Desktop Requirements RIP Routing RPL RSVP Rural SAS SDN Security Service Provider Small Business SONET Speed SS7 SSH SSL Subnetting SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone termshark TLS Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Webex WEP Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Wi-Fi 6/6E Windows Winpcap Wireless Wireless 5G Wireshark Wireshark Tip WLAN WPA2 Zenmap ZigBee Zoom

Support us by clicking:

Twitter Feed