Networking/Computing Tips/Tricks

A frequent visitor here will know that we have many articles discussing the netsh command line shell/scripting tool in Windows.  The tool was originally introduced in Win2K.  If you aren't a regular - just click on 'netsh' in the tag cloud to see them all.

This article discusses how you can use the 'netsh trace' function to actually perform a packet capture from the command line in Windows.  Technically this means you do not need a capture tool on a Windows machine other than the OS itself.

To analyze and view the packets, you need a tool, and our favorite is Wireshark, of course!

Here is how to use netsh to accomplish this task.  

[Note: you may need to use Run as Administrator to get your system to work correctly]

We begin by examining the help screen with the following command:

netsh trace start ?

netsh trace1


You can see there are many options.

To do a simple trace/capture we will use the following command:

netsh trace start capture=yes traceFile="c:\netsh_trace.cap"

netsh trace2

The capture will run in the background.

To stop the capture, use the following command:

netsh trace stop

It will take several minutes to close.  Be patient!

netsh trace3

If we go and look at my directory c:\ we see the file was saved as follows:

netsh trace4

And if we try to open either of them in Wireshark, we get the following error:

netsh trace5

So you have to use something like Microsoft Message Analyzer ( or the older Microsoft Network Monitor ( to open the file, and then you will be able to export it so you can analyze in Wireshark.

We hope this helps.  


Comments powered by CComment

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Ad-Hoc Addressing Analysis Ansible Architecture ARP Assessment AToM Automation Baseline BGP Bloom's Taxonomy Cable cat CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud CMD Company Policy Computer Consulting Data Center Data Networking Dependencies DHCPv6 DNS Docker Documentation Dublin-Traceroute dumpcap Earth Earthquakes ECMP Ethernet Ethics Etiquette Evaluation Field Operations Fragmentation G-MPLS Gauge GeoIP GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 India Internet IoT IPv4 IPv6 IRINN IS-IS L2VPN L3VPN LDP LifeNet Linux LLN LoL M-BGP MAC Macro Microsoft Milky Way mininet Monitoring MPLS mtr MTU Multicast Murphy Name Resolution Netcat NetMon netsh Networking nmap NSE Observations OLPC Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Paris-Traceroute Parrot PIM PMTU Policy POTS POTS to Pipes PPP Profile Project Management PW3E QoS QUIC Railroad Remote Desktop Requirements Resume Review RIP Routing RPL RSVP Rural SDN Security Service Provider Small Business SONET Speed SSL Status Storms Subnetting SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Testing Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Windows Wireless Wireless 5G Wireshark WLAN Writing Zenmap ZigBee

Twitter Feed