Capturing network traffic without capture software installation
Capturing network traffic without the need for dedicated capture software (e.g. Wireshark) is a practical and efficient approach for environments with high security standards. Netsh is just the tool that can serve the purpose, it is natively present in Windows server.
Starting the capture
To start the network capture simply run the netsh trace start command from the command line (requires elevated privileges). Detailed info about the tool and available options can be found here:
https://technet.microsoft.com/en-us/library/dd878517(v=ws.10).aspx#bkmk_traceShowCapture
Syntax
The syntax for the netsh trace command is following:
start [[scenario=]Scenario1,Scenario2] [[globalKeywords=]keywords] [[globalLevel=]level] [[capture=]{yes|no}] [[report=]{yes|no}] [[persistent=]{yes|no}] [[traceFile=]Path\Filename] [[maxSize=]MaxFileSizeInMB] [[fileMode=]{single|circular|append}] [[overwrite=]{yes|no}] [[correlation=]{yes|no|disabled}] [[provider=]ProviderIdOrName] [[keywords=]KeywordMaskOrSet] [[level=]level] [[provider=]Provider2IdOrName] [[keywords=]Keyword2MaskOrSet] [[level=]level2]Capture Filters
Capture filters can be used to reduce the amount of captured data. To see the available filters run the "netsh trace show captureFilterHelp" command.
Useful filters:
CaptureInterface= Enables packet capture for the specified interface name or GUID. Use 'netsh trace show interfaces' to list available interfaces.
Ethernet.Address= Matches the specified filter against both source and destination MAC addresses.
Ethernet.SourceAddress= Matches the specified filter against source MAC addresses.
Protocol= Matches the specified filter against the IP protocol.
IPv4.Address= Matches the specified filter against both source and destination IPv4 addresses.
IPv4.SourceAddress= Matches the specified filter against source IPv4 addresses.
Example command:
Netsh trace start capture=yes traceFile=C:\Capture\TraceOutput1.etl CaptureInterface=”Local Area connection 1” IPV4.Address=192.168.1.2
Stopping the capture
To stop the capture run the “Netsh trace stop” command.
Viewing the trace
Convert the captured .etl file to .pcapng format:
download etl2pcapng from https://github.com/microsoft/etl2pcapng/releases
run etl2pcapng.exe <name_of_input.etl> <output_name.pcapng>
Review .pcapng file in the Wireshark.