Share via

Netsh capture filter

Hram Admin 290 Reputation points
2025-12-10T14:56:14.3166667+00:00

Hello!

While capturing network traffic by netsh I was suprised to see ARP queries in the .etl file after running ~ the following command:

netsh trace start capture = yes level=5 report = yes ipv4.address=xxxx protocol=6 tracefile=E:\TRACE\File.etl

As far as I understand protocol=6 means only TCP traffic - why does netsh keep capturing ARP packets???

Thank you in advance,
Michael

Windows for business | Windows Server | Networking | Other
0 comments
Answer accepted by question author
  1. Q&A Assist
    2025-12-10T14:56:22.6166667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    When using the netsh trace start command with the protocol=6 filter, it is important to note that this filter is specifically for TCP traffic, which is protocol number 6 in the IP protocol suite. However, ARP (Address Resolution Protocol) operates at a different layer (the data link layer) and is not encapsulated within the IP protocol. Therefore, ARP traffic can still be captured regardless of the TCP filter applied.

    In essence, the capture filter for TCP does not exclude lower-level protocols like ARP, which is why you are seeing ARP queries in your ETL file. The netsh tool captures all network traffic that passes through the specified network interfaces, including ARP, even when filtering for TCP traffic.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.