• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Packet Capture on Windows Without WireShark – NO INSTALLATION REQUIRED!

Packet Capture on Windows Without WireShark – NO INSTALLATION REQUIRED!

December 20, 2021 - by Zsolt Agoston - last edited on December 28, 2021

Packet capture on Windows is easier than you think. WireShark is an obvious choice when it comes to network sniffing, but there might be scenarios when you can't or don't want to install a 3rd party software on your machine for such a (probably one time) task.

Luckily Windows - both newer and older versions - has built-in tools to capture network traffic. Although the output is a format that very few application can read there are ways to convert them so popular packet analyzers like WireShark or tcpdump can read.

Newer Windows systems (from Windows 10 up, also Windows Server 2019 or newer) have Packet Monitor (pktmon) available by default, older versions can utilize netsh to grab an .etl capture of the network traffic on the box.

1. On Newer Windows Operating Systems: pktmon

Windows 10 and Windows Server 2019 or newer systems have a neat little tool natively available for packet capturing called pktmon. This packet monitoring utility doesn't only capture network traffic and saves it in an .ETL file format, but it can convert this output to .CAP or .PCAP format that can be read by WireShark and other network sniffing applications.

### Run capture: ###
# --pkt-size <bytes>
#        Number of bytes to log from each packet. To always log the entire
#        packet set this to 0. Default is 128 bytes.
#
# --file-size <size>
#        Maximum log file size in megabytes. Default is 512 MB.

pktmon start --capture --file-name c:\temp\TestCapture.etl --pkt-size 0 --file-size 100

### Check status of the capturing session ###
pktmon counters

### Stop capture ###
pktmon stop

Oh, no! 'ptkmon' is not found!

If your machine doesn't have the pktmon tool, jump to section 2 to see how packet capture is possible on older Windows versions

So if you want to take the capture and open it in WireShark, first you need to convert it to a .pcap file. Here's how:

# Convert capture file from .etl to .pcap (WireShark compliant)
pktmon etl2pcap [source etl] --out [target pcap file]

2. On Older Windows Systems: Use netsh for Packet Capture

If pktmon is not available because you're running an older operating system, don't worry! Running the netsh command for packet capture, then using the ETL2PCAPNG tool (developed by Microsoft's titan, Matt Olson) to convert the capture output to a WireShark-friendly format does the exact same thing.

In this case you need to download the ETL2PCAPNG external utility but it's a standalone program you don't need to install it: GitHub link here.

# Start capture with netsh
netsh trace start capture=yes tracefile=c:\temp\CaptureByNetsh.etl maxsize=100MB

# Check status while capturing
netsh trace show status

# Stop capture
netsh trace stop

Convert the .etl file to .pcap format that we can load in your WireShark app for analysis. Again, no need for installing WireShark you can simply use the portable version.

First we download the latest ETL2PCAPNG release in c:\temp, unpack it, and run the x64 executable since we use a machine with a 64bit architecture.

# Convert .etl to .pcap
C:\temp\etl2pcapng\x64>etl2pcapng c:\temp\CaptureByNetsh.etl c:\temp\CaptureByNetsh.pcap

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • 1. On Newer Windows Operating Systems: pktmon
  • 2. On Older Windows Systems: Use netsh for Packet Capture

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}