NETSH TRACE packet capture ONLY

Question

I'd like to know if it's ever been considered to add an option to NETSH TRACE CAPTURE=YES which prevents the utility from gathering additional data (and creating cabinet files)?

In other words - how about an option to only get a network capture?

Thanks,
DaveC

Answer 1

Hi ,

Use following netsh command, it can only generate ETL.file: netsh trace start capture=yes persistent=yes tracefile=c:\nettrace.etl maxsize=2048 overwrite=yes report=disabled

Best Regards,
Candy

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hello @DaveC ,

I guess that you might have already tried Candy's suggestion ("report=disabled") and found that it did not work. It is a few years since I last looked, but when I investigated this behaviour it seemed as though "report=disabled" was ignored if the user was a member of the Administrators group.

At that time, I switched to using PowerShell to capture packets - the Add-NetEventPacketCaptureProvider uses exactly the same capture mechanism as "netsh trace" (i.e. ndiscap.sys) but without the wasteful report generation.

There is now a new packet capture mechanism available from the command line (in newer versions of Windows 10 - since 1809, I think) - namely PktMon. This can do everything (and more) that ndiscap.sys does and I have now switched to using it.

Gary

Answer 3

Thank you @Anonymous and @Gary Nebbett for these suggestions. I'll review and follow up.

-DaveC

Answer 4

Apologies @Anonymous and @Gary Nebbett for my delay.

I wish I could accept BOTH of these answers, because they are both very helpful :)

We successfully tested both NETSH (with 'report=disabled' switch) AND pktmon. Seems like PKTMON is the way forward :)

Thank you both very much.

-DaveC