Tag Archive: netsh trace

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/

  1. Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development)
  2. Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download
  3. Netsh Trace – built-in to operating system
  4. Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226

Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx

How to message analyzer on YouTube: https://www.youtube.com/watch?v=e0v0RsQVdT8

As you might guess from the name, Message Analyzer is much more than a network sniffer or packet tracing tool.  Key capabilities include:

  • Integrated “live” event and message capture at various system levels and endpoints (client and server remotely !)
  • Remote capture (capture multiple point concurrently)
  • Parsing and validation of protocol messages and sequences
  • Automatic parsing of event messages described by ETW manifests
  • Summarized grid display – top level is  “operations”, (requests matched with responses)
  • User controlled “on the fly” grouping by message attributes
  • Ability to browse for logs of different types (.cap, .etl, .txt) and import them together
  • Automatic re-assembly and ability to render payloads
  • Ability to import text logs, parsing them into key element/value pairs
  • Support for “Trace Scenarios” (one or more message providers, filters, and views)

Other articles:

Use message analyzer to convert a .etl to .cap: https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/analyze-netsh-traces-with-wireshark-or-network-monitor/


Capture a network trace using netsh:



  1. To learn more about your nmcap options, enter “nmcap /?” or “nmcap /examples”
  2. Wireshark training can be found at https://www.wireshark.org/#learnWS.
  3. For more information on Message Analyzer, check out the blog at https://blogs.technet.microsoft.com/messageanalyzer/.
  4. Message Analyzer training videos can be found at https://www.youtube.com/playlist?list=PLszrKxVJQz5Uwi90w9j4sQorZosTYgDO4.
  5. Message Analyzer Operating Guide – https://technet.microsoft.com/en-us/library/jj649776.aspx
  6. Information on the Message Analyzer PowerShell module can be found at https://technet.microsoft.com/en-us/library/dn456518(v=wps.630).aspx.
  7. Remote captures with MMA – https://blogs.technet.microsoft.com/messageanalyzer/2013/10/17/remote-capture-with-message-analyzer-and-windows-8-1/

Netsh command reference:




Using Netsh to redirect a port to another computer:


How to create a wifi hotspot with netsh:


Using netsh with DHCP:


Using netsh to capture traffic:


Capture a NETSH network trace

a) Open an elevated command prompt and run: “netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl” (make sure you have a \temp directory or choose another location).

b) Log on and stop the trace using: “netsh trace stop” (from an elevated prompt).

c) Open the .etl with Network monitor or Message Analyzer  (allows you to choose .etl as a file to open) and save as .cap to be analyzed in detail with Wireshark if you prefer: https://blogs.msdn.microsoft.com/benjaminperkins/2018/03/09/analyze-netsh-traces-with-wireshark-or-network-monitor/




Full article:


Topic #1: What is the purpose of this tool as opposed to other tools available?

This certainly should be the first question. This tool is focused toward delivering an easy to understand approach to obtaining network captures on remote machines utilizing PowerShell and PowerShell Remoting.

I often encounter scenarios where utilizing an application such as Message Analyzer, NETMON, or Wireshark to conduct network captures is not an option. Much of the time this is due to security restrictions which make it very difficult to get approval to utilize these tools on the network. Alternatively, it could be due to the fact that the issue is with an end user workstation who might be located thousands of miles from you and loading a network capture utility on that end point makes ZERO sense, much less trying to walk an end user through using it. Now before we go too much further, both Message Analyzer and Wireshark can help on these fronts. So if those are available to you, I’d recommend you look into them, but of course only after you’ve read my entire post.

Topic #2: Where can I get this tool?




Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/

Netmon versus Message Analyzer. Netmon is well-known tool used by IT peoples to troubleshoot problems daily.

Netmon capture Net frames, Net frame: contain header and payload

TCP basics:

Tcp session establishment:

clt: TCP syn –> srv    then    srv: Syn-Ack –>clt    then    clt: Ack –> srv

Gracefull closure:

clt: Fin –> srv       then       srv: Fin-Ack –>clt

srv: Fin –> clt       then       clt: Fin-Ack –> srv

Forced closure (fermeture brutale):

clt: tcp reset –> srv       THEN      srv: tcp reset –> clt

Notion de fenetre TCP (ou TCP RWIN): le client informe le serveur de la quantite de donnees a envoyer/recevoir. Il y a des BUFFER au niveau applicatif, au niveau de la carte reseau et du protocole TCP. Grosso modo, les pacquets sont decoupes en blocs et stockes d’abord du buffer de l’appl, et par la suite dans le buffer TCP. Il y a un Send Buffer TCP et un Receive Buffer TCP.

The TCP protocol calcule la taille de RWIN. Since Windows vista, the TCP buffer size can be adjusted (Windows scaling) par multiplication of de buffer 65535 – can be modified using NETSH !

The last netmon version is v3.4. At Microsoft, the evolution of netmon is Message Analyzer.

Netmon 3.4 download: http://www.microsoft.com/en-us/download/details.aspx?id=4865

Message Analyzer download: http://www.microsoft.com/en-us/download/details.aspx?id=40308

For netmon, there are addins: downloadable at http://nmexperts.codeplex.com/

NMDECRYPT : http://nmdecrypt.codeplex.com/

TCP Analyzer : http://research.microsoft.com/en-us/projects/tcpanalyzer/

TOP USERS : http://nmtopusers.codeplex.com/

TOP PROTOCOLS : http://nmtopprotocols.codeplex.com/

NMSimpleSearch : http://archive.msdn.microsoft.com/NmSimpleSearch

Visual Round Trip Analyzer : http://www.microsoft.com/en-us/download/details.aspx?id=21462

I come back to Netmon,

Netmon uses a capture drive called nmcap

Netmon uses by default a “Parser profile = default”, if your want more details about application protocoles swith to “parser profile = Windows”

Use “color rules”

Add colums: “Time offset”, “Destination port”, “Source port”

Use “filters”:

Adresses and ports :
IPv4.Address ==
IPv4.SourceAddress ==
IPv4.DestinationAddress ==
TCP.PORT == 3389
IPv4.address == AND Tcp.port!=3389          ; en clair affiche moi le traffic ou apparait l’IP mais pas TCP3389 (bruit du à RDP)

To find text:
ContainsBin(FrameData, ASCII, “SavillText”)

Analyzing SMB or SMB2: http://www.snia.org/sites/default/files2/sdc_archives/2009_presentations/wednesday/PaulLong_TShootSMBwithNM3-rev.pdf

Exclusions :
! (RDP)
! (ipv4.address ==
! (tcp.port == 3389)

Operators :

“Intellisense” :
TCP. (…)

TCP.Property.tcpRetransmits == 1
TCP.Flags.SYN == 1
TCP.Flags.RESET == 1

Right click : “Add to Display Filter”

Protocole filters:

Response time:

In order to filter on the difference in time, you can use FrameVariable.TimeDelta property. This value represents the time from the last physical frame in the trace. One side effect of this is that you can’t filter the time delta that results between two filtered frames or two frames in a specific conversation. Leading to perhaps more confusion, the time delta column you see is updated based on the filtered information.

The following filter will find any frame with a time delta greater than 1 second: FrameVariable.TimeDelta > 10000000