Capture a network trace with windows

Tools such as Wireshark or tcpdump are often used to analyse network problems. Especially tcpdump is pre-installed in most Linux distributions and can be used directly. But what to do in a pure Windows server/client environment ?

The problem is exacerbated in productive environments, where it is usually not possible to simply install additional software.

Fortunately, Windows also offers the possibility of recording network traffic with home remedies. The tool is called Network Shell, or netsh for short, and is able to record network traffic.

The recording can be started in an elevated command prompt as follows:

netsh trace start capture=yes tracefile=C:\capture.etl maxsize=1000 filemode=circular overwrite=yes report=no

As soon as enough data has been collected, the trace can be stopped again with the following command:

netsh trace stop

In principle, such a trace can be easily analysed with the help of the Network Monitor. Unfortunately, the Network Monitor is no longer being developed. However, the generated ETL file can also be analysed with PerfView or the Windows Performance Analyzer (WPA).

In my view, it is easier to analyse network traffic with Wireshark. Unfortunately, Wireshark cannot do much with the ETL file.

The remedy is a program published by Microsoft that is able to convert an ETL file into a PCAP file. The program, called etl2pcapng.exe, is open source and can be downloaded from GitHub under the following link:

https://github.com/microsoft/etl2pcapng

The conversion is very simple:

etl2pcapng.exe in.etl out.pcapng

And already the recorded network traffic can be analysed with the help of Wireshark 😎. This article provides further information.