Every once in a while you might have to capture traffic from your physical or virtual machine for troubleshooting why traffic is not reaching a specific destination. In such cases you would have to run a packet capturing tool to analyze the traffic. On Windows I find it easy to use the built-in netsh tracing tool. Of course there are many more tools available, but in this specific article we are going to explore the capabilities of netsh as sometimes you don’t have permissions to install software on client or other environments and it is good to utilize native tools. We will capture some traffic on my Lenovo Ideapad laptop running Windows 10 to a random destination, save it to a .etl or .cap file and open it in Wireshark and Message Analyzer tools.
Link to download Wireshark:
Wireshark currently supports pcapng and pcap file formats.
Message Analyzer supports etl and cap files, pcapng and pcap are also available, but you need a Profiles to set in order to work with them.
Okay, so lets get started.
- Open cmd as Adminisrator.
- Enter the following command: netsh trace start capture=yes tracefile=c:\capture_23_01_2021_20_00pm.etl
It is good to run the command for no more than 2-3 minutes as sometimes too much traffic is generated and then the files become corrupted.
You can stop the command with netsh trace stop
It will take a couple of minutes to generate the file and then we can use Message Analyzer to open it.
Next we will do a capture for Wireshark.
After the command has finished generating the file you will see the following:
Apart from the capture .etl file there is also one other file generated in .cab format. It is a Cabinet file and it is usually generated by Windows installers and system tools like netsh, which hold information similar to logs, but you don’t need them to analyze the packet capture.
You can now use Message Analyzer to open the .etl file and filter by IP address or protocol and see what is happening with the traffic:
Note: ideally it is not recommended to convert files as data can be missing due to the process of conversion. So it would be best to generate the captures in the format for the tool that you are using at work.
When we open the file in MessageAnalyzer we can filter the packets by IP or port:
It is a good idea while running the netsh tool to perform a ping/psping/tcpdump to the unreachable destination to see where traffic is dropped.
To filter by IP address yu just have to write in the top search bar IPv4.Address==<ip_address>