Capturing of Network Traffic without Capture Software Installation

This article outlines how to capture network traffic without installing packet capture software like Wireshark, which might be restricted in certain environments.

Netsh, which is natively present in Windows server, can be used in restrictive environments to capture network traffic. No need to download or install anything.

Starting the capture

To start the network capture simply run the netsh trace start command from the command line (requires elevated privileges). Detailed info about the tool and available options can be found here: Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7.


The syntax for the netsh trace command is following:

start [[scenario=]Scenario1,Scenario2] [[globalKeywords=]keywords] [[globalLevel=]level] [[capture=]{yes|no}] [[report=]{yes|no}] [[persistent=]{yes|no}] [[traceFile=]Path\Filename] [[maxSize=]MaxFileSizeInMB] [[fileMode=]{single|circular|append}] [[overwrite=]{yes|no}] [[correlation=]{yes|no|disabled}] [[provider=]ProviderIdOrName] [[keywords=]KeywordMaskOrSet] [[level=]level] [[provider=]Provider2IdOrName] [[keywords=]Keyword2MaskOrSet] [[level=]level2]

Capture Filters

Capture filters can be used to reduce the amount of captured data. To see the available filters run the "netsh trace show captureFilterHelp" command.

Useful filters:
CaptureInterface= Enables packet capture for the specified interface name or GUID. Use 'netsh trace show interfaces' to list available interfaces.
Ethernet.Address= Matches the specified filter against both source and destination MAC addresses.
Ethernet.SourceAddress= Matches the specified filter against source MAC addresses.
Protocol= Matches the specified filter against the IP protocol.
IPv4.Address= Matches the specified filter against both source and destination IPv4 addresses.
IPv4.SourceAddress= Matches the specified filter against source IPv4 addresses.

Example command:
Netsh trace start capture=yes traceFile=C:\Capture\TraceOutput1.etl CaptureInterface=”Local Area connection 1” IPV4.Address=

Stopping the Capture

To stop the capture run the “Netsh trace stop” command.

Viewing the Trace