A frequent visitor here will know that we have many articles discussing the netsh command line shell/scripting tool in Windows. The tool was originally introduced in Win2K. If you aren't a regular - just click on 'netsh' in the tag cloud to see them all.
This article discusses how you can use the 'netsh trace' function to actually perform a packet capture from the command line in Windows. Technically this means you do not need a capture tool on a Windows machine other than the OS itself.
To analyze and view the packets, you need a tool, and our favorite is Wireshark, of course!
Here is how to use netsh to accomplish this task.
[Note: you may need to use Run as Administrator to get your system to work correctly]
We begin by examining the help screen with the following command:
netsh trace start ?
You can see there are many options.
To do a simple trace/capture we will use the following command:
netsh trace start capture=yes traceFile="c:\netsh_trace.cap"
The capture will run in the background.
To stop the capture, use the following command:
netsh trace stop
It will take several minutes to close. Be patient!
If we go and look at my directory c:\ we see the file was saved as follows:
And if we try to open either of them in Wireshark, we get the following error:
So you have to use something like Microsoft Message Analyzer (now retired – see their web page here:
I hope you find this article and its content helpful. Comments are welcomed below. If you would like to see more articles like this, please support us by clicking the