Trace: pxeboot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ms:win:trace [2019/11/04 15:29] jsms:win:trace [2019/11/04 15:39] (current) js
Line 1: Line 1:
 ====== trace with netsh ====== ====== trace with netsh ======
  
-<code>netsh trace start capture=yes IPv4.Address=<ip> tracefile=<filepath>\<filename> </code>+<code>netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=<ip> tracefile=<filepath>\<filename>.etl </code> 
 + 
 +You have to load the etl file to "Microsoft Network Monitor" and export it to cap. 
 + 
 +On the website [[http://www.tech-wiki.net/index.php?title=How_to_capture_traffic_with_no_Wireshark_using_netsh]]  
 + 
 +I found the following powershell code to convert it: 
 +<code powershell>$s = New-PefTraceSession -Path “C:\temp\OutFile.Cap” -SaveOnStop 
 +$s | Add-PefMessageProvider -Provider “C:\temp\capture.etl” 
 +$s | Start-PefTraceSession</code> 
 + 
 +<code>netsh trace start capture=yes protocol=17 </code>
  
 You can make it persistent, e.g. if you want to capture the boot:  You can make it persistent, e.g. if you want to capture the boot: 
Line 8: Line 19:
 To stop enter To stop enter
 <code>netsh trace stop</code> <code>netsh trace stop</code>
 +
 +Capture ICMP traffic:
 +<code>netsh trace start capture=yes protocol=1 tracefile=c:\temp\trace.etl fileMode=single maxSize=500</code>
 +
 +More information: [[https://www.computertechblog.com/capture-network-traffic-with-netsh-trace-windows-command/]]

Page Tools