Post

Pcaps on Windows with netsh.exe

Useful when no other tools are available (it's a native windows binary)

Windows doesn’t have tcpdump, so if you want to create a .pcap file from a packet capture, the easiest method is to download Wireshark or some other third party software. But it’s still possible to create a pcap using native files installed on Windows - there’s just a few more steps.

Netsh.exe is a file in \Windows\System32\ that can enable you to capture network packets with netsh trace start capture=yes [filters]. After you’ve captured the traffic, end the capture with netsh trace stop. Use the filters to filter out any traffic you don’t want in the capture. To see information about available filters, use netsh trace show capturefilterhelp. To specify the output file, use tracefile=DEST.

At this point, you’ll see the output file is an .etl file. In order to convert it to a .pcapng file (which you’ll need to do before you pop it open in Wireshark), you’ll need to download etl2pcapng; unfortunately, you can only run in on 64 bit Windows.

This post is licensed under CC BY 4.0 by the author.