Capture packets with a standard Windows tool
Wireshark is a great way to capture network packets, but it's not always practical to use it. In an enterprise environment, at the very least, we need to get a change approved to install the software. Often it is just not possible to get approval to install Wireshark onto a desktop or server. So packet capture isn't possible - or is it?
Windows includes a rarely-used command line tool that has many of the capabilities of Wireshark dumpcap. It's there ready and waiting, on every Windows machine! Let's take a look at how we can use it.
Windows 2000 introduced a command line utility called netsh (network shell). As the name suggests, netsh is a shell environment that provides commands that address network issues. One of the commands it provides is netsh trace, a simple command line packet capture tool.
In the following video we take a look at using netsh trace, and how we analyze the resulting trace file with Microsoft Message Analyzer and Wireshark.
netsh trace is available on all supported releases of Windows PC and Server editions. Running a trace requires elevated rights but it could be initiated via a scheduled task, and it can be configured to run in a persistent mode that survives a reboot.
netsh trace includes capture filter functionality and options to control the file size. Use the command netsh trace start ? to view the options.