Capture packets using netsh tool

Netsh captures

Every once in a while you might have to capture traffic from your physical or virtual machine for troubleshooting why traffic is not reaching a specific destination. In such cases you would have to run a packet capturing tool to analyze the traffic. On Windows I find it easy to use the built-in netsh tracing tool. Of course there are many more tools available, but in this specific article we are going to explore the capabilities of netsh as sometimes you don’t have permissions to install software on client or other environments and it is good to utilize native tools. We will capture some traffic on my Lenovo Ideapad laptop running Windows 10 to a random destination, save it to a .etl or .cap file and open it in Wireshark and Message Analyzer tools.

Link to download Wireshark:

Link to download Message Analyzer:

Wireshark currently supports pcapng and pcap file formats.

Message Analyzer supports etl and cap files, pcapng and pcap are also available, but you need a Profiles to set in order to work with them.

Okay, so lets get started.

  1. Open cmd as Adminisrator.
  2. Enter the following command: netsh trace start capture=yes tracefile=c:\capture_23_01_2021_20_00pm.etl

C: trace Start capture-yes etl Trace configuration: Status: Trace File: Circular: Max Size: Report: Running c : etl on 512 MB

It is good to run the command for no more than 2-3 minutes as sometimes too much traffic is generated and then the files become corrupted.

You can stop the command with netsh trace stop

: trace stop rging traces . done enerating data collection

It will take a couple of minutes to generate the file and then we can use Message Analyzer to open it.

Next we will do a capture for Wireshark.

After the command has finished generating the file you will see the following:

: trace Stop rging traces done nerating data collection . done e trace file and additional troubleshooting information have been cmpiled as ile location c: racing session was successfully stopped. "c: cab".

Apart from the capture .etl file there is also one other file generated in .cab format. It is a Cabinet file and it is usually generated by Windows installers and system tools like netsh, which hold information similar to logs, but you don’t need them to analyze the packet capture.

You can now use Message Analyzer to open the .etl file and filter by IP address or protocol and see what is happening with the traffic:

Note: ideally it is not recommended to convert files as data can be missing due to the process of conversion. So it would be best to generate the captures in the format for the tool that you are using at work.

When we open the file in MessageAnalyzer we can filter the packets by IP or port:

Page •Z I Session 2: An... 3 Window Layout • Find In Grouping Viewer 59 61 71 89 494 579 832 1117 1122 1285 2174 2212 3034 Message Stack 1 {e) 2 Origins 1285 : DNS File session Tools Help Favorite Scenarios J Open usave C9NewVlewer • O Edit Session SShift Time New Session 2e21-e1-23T2em 2021-e1-23T2& 2021-e1-23T2em ae21-e1-23T2e„ 2021-e1-23T2& 2e21-e1-23T2em 2e21.e1-23T2em 2e21-e1-23T2e.„ ze21-e1-23nø- 2021-01-23T2æ 2e21-e1-23T2em ae21-e1-23T2æ M Add Filter • IOVlewpoints • EFIat Message List 'LAdd Columns Rules • A Find Message IPß.Address= Remove M App"/ Library • SUHistory Right click on any column header and select 'Group' to create a grouping x .C:2 session 2: Gr... MessageNumber Timestamp New IJnion •IAIiases • Go To Message Layout • Summary TimeDelta e, eoeoø21 e,øoe4589 e,e121195 e,øa74683 le,0659779 3, 3213938 e,ø443654 4,757982 24, ae86362 e, 190879 3e,oe38619 EventRec EventRecor Modu e 2021-e1-23T2& e,a24Z3aa ae21-e1-23T2e 33e8 33e8 3308 33e8 3308 33e8 3308 3308 33e8 3308 33e8 3308 3308 33eg 1136B 8948 12412 11360 1072 9e76 9076 9e76 9076 1136B 1136ø 11360 9e76 9076 Query Query Query Query Query Query Query Query Query Query Query Query Operation, Operation, Operation, Ope ration , Operation, Operation, Operations Operation, Operation, Operation, Operation, QResuIt : NoError, QResu1t : NOEr•rOr•, QResuIt : NoError, QResuIt: NOError, QResu1t : NoError, QRe5uIt : NoError, QResu1t : NoError•, QResuIt : NoError, QResuIt : NoErrorj QResu1t: NoError , QRe5uIt : NoError, QResu1t: NOE QResuIt : NoError, QResuIt Query Query Query Query Query Query Query Query Query Query Query Query Query Query Export • ID: ex943E, exE58B, . ex7FD8, exi35B, ox31E5, ID: ex6683, ex3752, ID: ex43DA, oxDDC5, . ex9aeF, ID: ex3F3B, exeD66, ID: ex7874, oxD765, Opt ode : Opcode : OpCode : Opcode : OpCode : Opt ode : C Ode Opcode : OpCode : opcode Opt ode : NoError, NoError, NOErrorj NoError, NoError, NoError, NoError, NoError NOE NoError, X Details 1 Name Identification OpCode QueryName Type Class QResuIt x Field Data Enter search tert here.. Value 16187 (øx3P3B) QUERY(e) (exøe) kal Iomateev . net AAAA(28) (exoelc) Internet(l) (exeoel) NoError(e) (axeøee) Bit Offset Bit Length Query Operation. OResuIt: NoError. Query ID: Ox3F3B. OpCode: NoError. Query 1285 : DNS 1286 : DNS Request. Cuer,' ID: Ox3F3B, OpCode: Response, RCode: NoError Query ID • 1285 : UDP 1286 : UDP SrcPort 54598, DstPort DNS(S3), Ler SrcPort DNS(S3). DstPort: 54598. Len Type Ulnt16 DNS. opc_ String RRType RRC1ass RCode • 1285 : IPv4 '1286 : IPv4

It is a good idea while running the netsh tool to perform a ping/psping/tcpdump to the unreachable destination to see where traffic is dropped.

To filter by IP address yu just have to write in the top search bar IPv4.Address==<ip_address>