Table of Contents

Intro

If you need to capture network traffic from a Windows server, you may find that that standards or controls in your organisation prevent or forbid you from installing tools such as Wireshark on your Windows servers.

This may be enforced by AppLocker or other controls.

However, if you do have Administrator access on the server you can still capture the traffic and also convert to a format you can load into Wireshark on a desktop machine (or analyse using tcpdump or other tools on a Linux system) - there is no requirement to install Wireshark on the server - you can use built-in tools to achieve this.

Starting the capture process

To do this:

  1. Login to server as a user with Administrator permissions
  2. Click Start, type powershell and right click on Windows Powershell
  3. Click on Run as Administrator
  4. Click Yes on the User Account Control prompt
  5. Press Ctrl + Alt + Del
  6. Click Yes
  7. From the powershell window enter the command below, noting the information in the table below: netsh trace start capture=yes IPv4.Address=<Remote IP> tracefile=<Path>\<filename>.etl
ParameterPurposeValues
IPv4.AddressThe IP address of the server communicating with this server whose traffic you wish to capture. This reduces the amount of packets capture which reduces space usage and aids in easier troubleshooting by filtering out traffic that is not of interestValid IPV4 IP Address e.g. 192.168.0.1
tracefilePath to and name of the file to write the captured traffic to. The file MUST end in the .etl file extensionFull file path e.g. C:\Users\MyUser\capture.etl

A few things to be aware of

This will overwrite the .etl file if it already exists, will use a maximum capture file size of 250MB and will default to a circular capture e.g. when the file size limit is reached, the oldest packets are removed to make space for new packets.

A full list of syntax and options is available at Netsh Commands for Network Trace | Microsoft Docs

The following response will be returned if trace was successfully started:

Trace configuration:

-------------------------------------------------------------------

Status:             Running

Trace File:         C:\Users\MyUser\capture.etl

Append:             Off

Circular:           On

Max Size:           250 MB

Report:             Off

Stopping the capture process

Once you have replicated the problem you are troubleshooting, you will need to stop the trace.

To stop the trace, enter the following syntax : netsh trace stop

You will then see the following messages for several minutes (how long will depend upon a number of factors including service specification, performance, trace file size etc):

Correlating traces ... done

Merging traces ... done

Warning: An instance of the 'NT Kernel Logger' is already running.

         System information will not be added to the trace file.

Generating data collection ... done
When completed the following message will be displayed:
The trace file and additional troubleshooting information have been compiled as "C:\Users\MyUser\capture.cab".

File location = C:\Users\MyUser\capture.etl

Tracing session was successfully stopped.

Converting the output to .pcapng format

The default file format is not supported by Wireshark, however you can convert the .etl file to .pcapng format using the etl2pcapng utility from Microsoft that converts an .etl file containing a Windows network packet capture into .pcapng format.

The latest release can be downloaded as a compiled application from Releases · microsoft/etl2pcapng · GitHub.

Once the release is downloaded and extracted from the zip file, the syntax is straightforward:

etl2pcapng.exe <infile><outfile>
#e.g. 
etl2pcapng.exe capture.etl out.pcapng

To view the pcapng file on your windows client device you can install Wireshark. It can even be installed without the network capture driver - so it is purely for analysing packet captures from other hosts.

On a Linux based OS, you can use tools such as:

As ever, thanks for reading and feel free to leave comments down below!