Windows’ Built-In Wireshark

wireshark-quicktime-adaware-logos-iconsThe SANS ISC blog had s great tip last week if you ever needed to perform a packet capture but didn’t have ready access to the usual set of tools like Wireshark or tcpdump. On the defensive side you might need something like this to debug a problem. Offensively, this method offers a nice way to perform a local packet capture once you gain a foothold within a target network.

Enter the Windows “netsh trace” command. The article goes into much more detail but here’s the general gist.

netsh trace help : Show the different command options

netsh trace start capture=yes : Start a capture

netsh trace stop : Stop a capture

And beyond adding some capture filters if you wish, that’s about it. By default the capture format is in Microsoft’s ETL format, which you can open in their Microsoft Analyzer tool. Analyzer also offers export options in more traditional formats such as PCAP. The best tip in the article though is this little PowerShell script to do the same thing.

$s = New-PefTraceSession -Path “C:\output\path\spec\OutFile.Cap” -SaveOnStop
$s | Add-PefMessageProvider -Provider “C:\input\path\spec\Input.etl”
$s | Start-PefTraceSession

Check out the full article here.


Today’s post pic is from

2 comments for “Windows’ Built-In Wireshark

  1. March 11, 2015 at 2:10 am

    Windows’ Built-In Wireshark

  2. March 11, 2015 at 2:40 am

    BLOGGED: Windows’ Built-In Wireshark

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.