Network tracing (packet sniffing) built-in to Windows and Windows Server.
Applies to:
Windows 10, version 1803
Windows Server 1709
Windows 10, version 1709
Windows 10, version 1703
Windows Server 2016
Windows 10, version 1607
Windows 10, version 1511
Windows 10, version 1507
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Does not apply:
Windows Server 2008
Windows Vista
Windows Server 2003
Windows XP
Originally published Dec 2012. Updated June 2015, Nov. 2016, May 2018.
In Windows Server’s, if you wanted to capture network packets (for those coming from a Unix background, Packet sniffer or protocol analyzer, or TCPDump), you would have to install an add-on such as Network Monitor (Netmon) or Wireshark (used to be known as Ethereal). In order to install these products, you would have to go thru a change control process.
Starting with Windows 7 and Windows Server 2008 R2, network capture has been built-in and native to the Windows O.S.
Step 1. WARNING: In Windows 7 and Windows Server 2008 R2, you could run into:
Please make sure to install the hotfix above before you proceed.
Step 2. Before you capture any network trace, here are questions you should have ready when you are capturing it:
Network tracing (packet sniffing) data to provide when troubleshooting.
Step 3. Minimize the noise.
Close all the applications that are unnecessary for the issue that you are investigating.
Step 4. Clear any caching that has been done.
Clear all name resolution cache as well as all cached Kerberos tickets.
To clear DNS name cache you type in: IPConfig /FlushDNS
To clear NetBIOS name cache you type in: NBTStat -R
Note: This command requires you to be a “Local Administrator” (i.e. CMD ( Run as admin)).
To clear Kerberos tickets will need KList.exe: KList purge
Note: Depending on what permissions the service or application has, you might have to open a Command Prompt (CMD.exe) using those permissions. For example: If the app or service uses the System account, you will need to use Sysinternals Psexec.
PSExec.exe -s -i cmd.exe
And then run the commands above in the new command prompt that opened to clear the cache(s).
i.e. If you are troubleshooting Internet Explorer (IE), clear the IE cache.
Step 5. Start, CMD (Run as admin)
Type “Netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=no traceFile=C:\Temp\NetTrace.etl” without the quotation marks and then press Enter.
Note: Details of all the options are available in the links to more information.
Note 2: You always want to take network traces from both sides (sending and receiving).
Step 6. Reproduce the issue.
Open a second CMD (Run as admin)
When you have the repro, to make the network trace with a ‘marker’ that you are done.
Type “ping 127.0.0.1” without the quotation marks and then press Enter.
Step 7. To stop the network capture
Type “netsh trace stop” without the quotation marks and then press Enter.
Once you have the nettrace.etl file, you could copy it off the server or client to your Windows client.
In your Windows client, you would use Microsoft Network Monitor 3.4 to analyze the network packets.
In your Windows machine, you could use Microsoft Message Analyzer to analyze the network packets.
More information:
| Windows 10, Windows Server 2016, Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 7 and Windows Server 2008 R2 Scenarios | Troubleshoots what type of related issues? |
| AddressAcquisition | address acquisition |
| DirectAccess | DirectAccess related issues |
| FileSharing | common file and printer sharing problems |
| InternetClient | Diagnose web connectivity issues |
| InternetServer | server side web connectivity issues / Set of HTTP service counters |
| L2SEC | layer 2 authentication |
| LAN | wired LAN |
| Layer2 | layer 2 connectivity |
| MBN | mobile broadband |
| NDIS | network adapter |
| NetConnection | network connections |
| NetworkSnapshot | Collect the current network state of the system * Windows 10 1607 and newer only |
| P2P-Grouping | Peer-to-peer Grouping |
| P2P-PNRP | Peer Name Resolution Protocol (PNRP) |
| RemoteAssistance | Windows Remote Assistance |
| RPC | RPC framework * Not in Win8.1 or newer. |
| WCN | Windows Connect Now |
| WFP-Ipsec | Windows Filtering Platform and IPsec |
| WLAN | wireless LAN |
| XboxMultiplayer | Xbox Live Multiplayer connectivity |
Troubleshoot -related issues *Windows 10 1607 and newer only
| Hyper-V 2012 R2 core Scenarios | Troubleshoots what type of related issues? |
| AddressAcquisition | address acquisition |
| InternetServer | server-side web connectivity |
| NDIS | network adapter |
| Virtualization | network connectivity issues in virtualization environment |
Network Tracing in Windows 7 (Windows)
Netsh Commands for Trace
Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7
Event Tracing for Windows and Network Monitor
Tool: Installing the Microsoft Message Analyzer version 1.3
How to setup a local network trace using “Start Local Trace” in Message Analyzer v1.3?
How to setup a local network trace on the LAN using Message Analyzer v1.3 UI?
For those administrators that want to learn more and their company has a Premier contract. There is a workshop available called “Netmon for Enterprise Troubleshooting”. Please contact your Technical Account Manager (T.A.M.) about availability in your neck of the woods.
Microsoft Services - Premier Support Proactive Services - Proactive Education
P.S. Getting network trace during a boot.
Type “Netsh trace start scenario=AddressAcquisition,FileSharing,LAN,Layer2,NDIS,NetConnection,WLAN capture=yes report=yes persistent=yes maxsize=1024 correlation=no traceFile=C:\temp\NetTrace.etl” without the quotation marks and then press Enter.
To stop the network capture
Type “netsh trace stop” without the quotation marks and then press Enter.
Comments
- Anonymous
May 26, 2018
https://www.slideshare.net/hebikuzure/windows-47455193 - Anonymous
February 15, 2019
Great, thanks. Just solved a java app issue what was trying to get out via the proxy.