Capturing of Network Traffic without Capture Software Installation

Capturing network traffic without the need for dedicated capture software (e.g. Wireshark) is a practical and efficient approach for environments with high security standards.

Netsh, which is natively present in Windows server, can be used in restrictive environments to capture network traffic. No need to download or install anything.

Starting the Capture

To start the network capture simply run the netsh trace start command from the command line (requires elevated privileges). Detailed info about the tool and available options can be found here: Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7.


The syntax for the netsh trace command is following:

start [[scenario=]Scenario1,Scenario2] [[globalKeywords=]keywords] [[globalLevel=]level] [[capture=]{yes|no}] [[report=]{yes|no}] [[persistent=]{yes|no}] [[traceFile=]Path\Filename] [[maxSize=]MaxFileSizeInMB] [[fileMode=]{single|circular|append}] [[overwrite=]{yes|no}] [[correlation=]{yes|no|disabled}] [[provider=]ProviderIdOrName] [[keywords=]KeywordMaskOrSet] [[level=]level] [[provider=]Provider2IdOrName] [[keywords=]Keyword2MaskOrSet] [[level=]level2]

Capture Filters

Capture filters can be used to reduce the amount of captured data. To see the available filters run the "netsh trace show captureFilterHelp" command.

Useful filters:
CaptureInterface= Enables packet capture for the specified interface name or GUID. Use 'netsh trace show interfaces' to list available interfaces.
Ethernet.Address= Matches the specified filter against both source and destination MAC addresses.
Ethernet.SourceAddress= Matches the specified filter against source MAC addresses.
Protocol= Matches the specified filter against the IP protocol.
IPv4.Address= Matches the specified filter against both source and destination IPv4 addresses.
IPv4.SourceAddress= Matches the specified filter against source IPv4 addresses.

Example command:
Netsh trace start capture=yes traceFile=C:\Capture\TraceOutput1.etl CaptureInterface=”Local Area connection 1” IPV4.Address=

Stopping the Capture

To stop the capture run the “Netsh trace stop” command.

Viewing the Trace

  • Convert the captured .etl file to .pcapng format:
    • download etl2pcapng from Github
    • run etl2pcapng.exe <name_of_input.etl> <output_name.pcapng>
  • Review .pcapng file in the Wireshark.