Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| ms:win:trace [2019/11/04 15:32] – js | ms:win:trace [2019/11/04 15:39] (current) – js |
|---|
| ====== trace with netsh ====== | ====== trace with netsh ====== |
| |
| <code>netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=<ip> tracefile=<filepath>\<filename> </code> | <code>netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=<ip> tracefile=<filepath>\<filename>.etl </code> |
| | |
| | You have to load the etl file to "Microsoft Network Monitor" and export it to cap. |
| | |
| | On the website [[http://www.tech-wiki.net/index.php?title=How_to_capture_traffic_with_no_Wireshark_using_netsh]] |
| | |
| | I found the following powershell code to convert it: |
| | <code powershell>$s = New-PefTraceSession -Path “C:\temp\OutFile.Cap” -SaveOnStop |
| | $s | Add-PefMessageProvider -Provider “C:\temp\capture.etl” |
| | $s | Start-PefTraceSession</code> |
| |
| <code>netsh trace start capture=yes protocol=17 </code> | <code>netsh trace start capture=yes protocol=17 </code> |
| Capture ICMP traffic: | Capture ICMP traffic: |
| <code>netsh trace start capture=yes protocol=1 tracefile=c:\temp\trace.etl fileMode=single maxSize=500</code> | <code>netsh trace start capture=yes protocol=1 tracefile=c:\temp\trace.etl fileMode=single maxSize=500</code> |
| | |
| | More information: [[https://www.computertechblog.com/capture-network-traffic-with-netsh-trace-windows-command/]] |
