Packet capture on Windows is easier than you think. WireShark is an obvious choice when it comes to network sniffing, but there might be scenarios when you can't or don't want to install a 3rd party software on your machine for such a (probably one time) task.
Luckily Windows - both newer and older versions - has built-in tools to capture network traffic. Although the output is a format that very few application can read there are ways to convert them so popular packet analyzers like WireShark or tcpdump can read.
Newer Windows systems (from Windows 10 up, also Windows Server 2019 or newer) have Packet Monitor (pktmon) available by default, older versions can utilize netsh to grab an .etl capture of the network traffic on the box.
1. On Newer Windows Operating Systems: pktmon
Windows 10 and Windows Server 2019 or newer systems have a neat little tool natively available for packet capturing called pktmon. This packet monitoring utility doesn't only capture network traffic and saves it in an .ETL file format, but it can convert this output to .CAP or .PCAP format that can be read by WireShark and other network sniffing applications.
### Run capture: ### # --pkt-size <bytes> # Number of bytes to log from each packet. To always log the entire # packet set this to 0. Default is 128 bytes. # # --file-size <size> # Maximum log file size in megabytes. Default is 512 MB. pktmon start --capture --file-name c:\temp\TestCapture.etl --pkt-size 0 --file-size 100 ### Check status of the capturing session ### pktmon counters ### Stop capture ### pktmon stop
Oh, no! 'ptkmon' is not found!
If your machine doesn't have the pktmon tool, jump to section 2 to see how packet capture is possible on older Windows versions
So if you want to take the capture and open it in WireShark, first you need to convert it to a .pcap file. Here's how:
# Convert capture file from .etl to .pcap (WireShark compliant) pktmon etl2pcap [source etl] --out [target pcap file]
2. On Older Windows Systems: Use netsh for Packet Capture
If pktmon is not available because you're running an older operating system, don't worry! Running the netsh command for packet capture, then using the ETL2PCAPNG tool (developed by Microsoft's titan, Matt Olson) to convert the capture output to a WireShark-friendly format does the exact same thing.
In this case you need to download the ETL2PCAPNG external utility but it's a standalone program you don't need to install it: GitHub link here.
# Start capture with netsh netsh trace start capture=yes tracefile=c:\temp\CaptureByNetsh.etl maxsize=100MB # Check status while capturing netsh trace show status # Stop capture netsh trace stop
Convert the .etl file to .pcap format that we can load in your WireShark app for analysis. Again, no need for installing WireShark you can simply use the portable version.
First we download the latest ETL2PCAPNG release in c:\temp, unpack it, and run the x64 executable since we use a machine with a 64bit architecture.
# Convert .etl to .pcap C:\temp\etl2pcapng\x64>etl2pcapng c:\temp\CaptureByNetsh.etl c:\temp\CaptureByNetsh.pcap
Comments