Simplified Network Packet Collection

As we all know a major part of troubleshooting application communication issues is to collect and analyze network traffic while the application is running.  A very powerful product that is commonly used is Wireshark with WinPCAP.  This capable tool and others like it require either a network line tap OR have application(s) installed.  Installing applications on production servers is normally undesirable AND having PCAP installed can be very dangerous from a security perspective.  Frequently I run into production servers that have Wireshark/WinPCAP installed but not removed after it is no longer needed.  I can understand this.  You just got something back online and you don’t want to take it back offline.

Most admins are unaware that there is a tool built into Windows that can take the place of packet capture tools in most situations.  “Netsh Trace” is very powerful and simple to use.  It can be as simple as:

   netsh trace start capture=yes


   netsh trace stop


This is very inclusive but you have many options to target specific applications or interfaces such as:

   netsh trace start scenario=directaccess capture=yes report=yes tracefile=C:\Temporary\output.etl


As can be seen this will capture client DirectAccess traffic and dump it to a standard ETL file.  This kind of granularity is great for troubleshooting since it permits you to reduce the traffic collected to just that scenario.  There are other scenarios such as Filesharing, AddressAcquisition, NDIS etc.


One more very useful capability is the ability to collect ALL traffic including during shutdown and startup.  Sometimes you need to capture packets between the time that TCIPIP.SYS is loaded and Windows is able to execute an application.  To use this capability you will use “persistent=yes” and “persistent=no” switches.


I look forward to hearing how you are able to utilize this tool to solve your application problems.


Mark Ringo

Leave a Reply

Your email address will not be published.