Network Traffic Capture Without Installing Any Software

From time to time, there is a need to capture network traffic for troubleshooting on server. Some network tool like Wireshark is pretty popular for network capturing. However, these tool often need additional installation on the server, and depending on your security team rules, it may take days to be installed on the server.

There is an alternate way to capture network traffic on Windows OS without additional software installation. Using Netsh trace. Most of you may familiar with Netsh for different type of common purpose like firewall, http listener, network interface info, etc. Netsh could be also used to collect network trace.

Open the elevated command prompt / powershell,

netsh trace -?

It shows the list of parameter purpose, examples and other useful information on netsh trace

To simply start a trace,
netsh trace start capture=yes tracefile=c:\nettrace-example.etl

To stop the trace,
netsh trace stop

These are the trace files generated.

You can copy the trace file to a computer that has netmon (network monitor) installed. You may download the software here. Presumably you can at least install the software easily on your computer.

Open netmon and read the trace file.

You may see the parser issue on the description.

For those who paid close attention during the netmon installation, it also prompted to install the parser. However, the parser is not configured to be active by default. To configure the parser, go to tools

Select Windows, and click Set As Active

Now the description is more useful and ready for troubleshooting and analysis.

That's it! Happy troubleshooting. More information on netmon filter could be found here.

No comments:

Post a Comment