Capture a network trace without installing anything on Windows

Lire l’article en français ici.

Netsh, the native tool on Windows

On Microsoft Windows systems, it is possible to perform a network capture without installing any tools.

This is particularly useful on production servers where it is not possible to install software or those without a graphical interface (Windows Server in Core or Nano mode).

By default, Microsoft systems include the netsh utility that allows you to perform a large number of actions.

Although the article only indicates the network capture part, netsh is a very powerful tool (firewall management, MTU modification, etc.).

To perform a network capture, perform the following actions:

  • First of all, open a CMD or PowerShell as an administrator
  • netsh trace start capture=yes persistent=yes

The persistent = yes parameter is optional, it allows you to take a log when you restart the computer.

  • To stop the capture: netsh trace stop

By default the saved trace are saved in C:\Users\<admin account>\AppData\Local\Temp\NetTraces\NetTrace.etl

This file must be open with Microsoft Message Analyzer (installation needed but the .etl can be copied on any computer).

Leave a Reply

two + 4 =

Close Menu