Networking/Computing Tips/Tricks

A frequent visitor here will know that we have many articles discussing the netsh command line shell/scripting tool in Windows.  The tool was originally introduced in Win2K.  If you aren't a regular - just click on 'netsh' in the tag cloud to see them all.

This article discusses how you can use the 'netsh trace' function to actually perform a packet capture from the command line in Windows.  Technically this means you do not need a capture tool on a Windows machine other than the OS itself.

To analyze and view the packets, you need a tool, and our favorite is Wireshark, of course!

Here is how to use netsh to accomplish this task.  

[Note: you may need to use Run as Administrator to get your system to work correctly]

We begin by examining the help screen with the following command:

netsh trace start ?

netsh trace1


You can see there are many options.

To do a simple trace/capture we will use the following command:

netsh trace start capture=yes traceFile="c:\netsh_trace.cap"

netsh trace2

The capture will run in the background.

To stop the capture, use the following command:

netsh trace stop

It will take several minutes to close.  Be patient!

netsh trace3

If we go and look at my directory c:\ we see the file was saved as follows:

netsh trace4

And if we try to open either of them in Wireshark, we get the following error:

netsh trace5

So you have to use something like Microsoft Message Analyzer ( or the older Microsoft Network Monitor ( to open the file, and then you will be able to export it so you can analyze in Wireshark.

We hope this helps.  


Comments powered by CComment

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Addressing Analysis Ansible Architecture ARP AToM Baseline BGP Bloom's Taxonomy Broadband Cable cat CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud CMD Coloring Rules Computer Consulting Customer Support Data Center Data Networking DHCPv6 DNS Docker Documentation Dublin-Traceroute dumpcap ECMP Ethernet Ethics Evaluation Field Operations Fragmentation G-MPLS GeoIP Git GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 India Interface Control Internet IoT IPsec IPv4 IPv6 IRINN IS-IS L2VPN L3VPN LDP Linux LLN LoL M-BGP MAC Macro Microsoft mininet Monitoring MPLS mtr MTU Multicast Name Resolution Netcat Netmiko NetMon netsh Networking Network Science nmap Npcap NSE Observations Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Paris-Traceroute Parrot PIM PMTU Policy POTS POTS to Pipes PPP Profile Programming Project Management PW3E Python QoS QUIC Remote Desktop Requirements Resume RIP Routing RPL RSVP Rural SDN Security Service Provider Small Business SONET Speed SS7 SSH SSL Subnetting SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone termshark Testing TLS Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Windows Winpcap Wireless Wireless 5G Wireshark Wireshark Tip WLAN Writing Zenmap ZigBee

Twitter Feed