Capture a Network Trace Without Netmon

If you need to capture a Network Trace from a server or client that doesn’t have Netmon or any other network monitoring software installed, you can use netsh to capture the trace (Windows 7/2008 R2 or higher).

Once captured you can then copy it to another “tools” machine with such tools as Netmon or Wireshark to do your analysis.

1. Open an elevated command prompt and run the command line:

netsh trace start capture=yes tracefile=<path>\<filename>.etl


Example:

netsh trace start capture=yes tracefile=D:\Temp\MyNetTraceFile.etl


If you need to capture a trace across system bootup, add persistent=yes to the command line.

netsh trace start persistent=yes capture=yes tracefile=D:\Temp\MyNetTraceFile.etl


2. Reproduce the issue, including the reboot if necessary.

3. To stop the trace, in your elevated command prompt run:

netsh trace stop

You can then take the resulting .etl file and copy it to your tools machine to open in Netmon. If you prefer to view the trace in Wireshark then open it in Netmon first and then do a Save As… to save it as a .cap file.

Leave a Comment