How to capture network traffic on a windows server without installing wireshark on the server
Table of Contents
If you need to capture network traffic from a Windows server, you may find that that standards or controls in your organisation prevent or forbid you from installing tools such as Wireshark on your Windows servers.
This may be enforced by AppLocker or other controls.
However, if you do have Administrator access on the server you can still capture the traffic and also convert to a format you can load into Wireshark on a desktop machine (or analyse using tcpdump or other tools on a Linux system) - there is no requirement to install Wireshark on the server - you can use built-in tools to achieve this.
Starting the capture process
To do this:
- Login to server as a user with Administrator permissions
- Click Start, type powershell and right click on Windows Powershell
- Click on Run as Administrator
- Click Yes on the User Account Control prompt
- Click Yes
- From the powershell window enter the command below, noting the information in the table below:
netsh trace start capture=yes IPv4.Address=<Remote IP> tracefile=<Path>\<filename>.etl
|IPv4.Address||The IP address of the server communicating with this server whose traffic you wish to capture. This reduces the amount of packets capture which reduces space usage and aids in easier troubleshooting by filtering out traffic that is not of interest||Valid IPV4 IP Address e.g. 192.168.0.1|
|tracefile||Path to and name of the file to write the captured traffic to. The file MUST end in the .etl file extension||Full file path e.g. C:\Users\MyUser\capture.etl|
A few things to be aware of
This will overwrite the .etl file if it already exists, will use a maximum capture file size of 250MB and will default to a circular capture e.g. when the file size limit is reached, the oldest packets are removed to make space for new packets.
A full list of syntax and options is available at Netsh Commands for Network Trace | Microsoft Docs
The following response will be returned if trace was successfully started:
Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\Users\MyUser\capture.etl Append: Off Circular: On Max Size: 250 MB Report: Off
Stopping the capture process
Once you have replicated the problem you are troubleshooting, you will need to stop the trace.
To stop the trace, enter the following syntax :
netsh trace stop
You will then see the following messages for several minutes (how long will depend upon a number of factors including service specification, performance, trace file size etc):
Correlating traces ... done Merging traces ... done Warning: An instance of the 'NT Kernel Logger' is already running. System information will not be added to the trace file. Generating data collection ... done When completed the following message will be displayed: The trace file and additional troubleshooting information have been compiled as "C:\Users\MyUser\capture.cab". File location = C:\Users\MyUser\capture.etl Tracing session was successfully stopped.
Converting the output to .pcapng format
The default file format is not supported by Wireshark, however you can convert the .etl file to .pcapng format using the etl2pcapng utility from Microsoft that converts an .etl file containing a Windows network packet capture into .pcapng format.
The latest release can be downloaded as a compiled application from Releases · microsoft/etl2pcapng · GitHub.
Once the release is downloaded and extracted from the zip file, the syntax is straightforward:
etl2pcapng.exe <infile><outfile> #e.g. etl2pcapng.exe capture.etl out.pcapng
To view the pcapng file on your windows client device you can install Wireshark. It can even be installed without the network capture driver - so it is purely for analysing packet captures from other hosts.
On a Linux based OS, you can use tools such as:
As ever, thanks for reading and feel free to leave comments down below!