Basic Network Capture Methods

Hi everyone. This is Michael Rendino, a Premier Field Engineer from Charlotte, NC and former member of the CTS networking support team. With my networking background, I have spent years reviewing network captures. One thing I always run into with my customers is that they often don’t know the best or easiest solution to get a network capture. There are many solutions you can use and choosing the right one often depends on the scenario. While colleagues have created blogs on getting a trace with a single tool, I wanted to provide a location that someone can bookmark to be a single set of instructions for a number of solutions. Please note that when reviewing traces, you can use one or more of these tools and aren’t necessarily tied to what was used to collect the trace.

The Options

First, let’s cover each of the tools that can be used to collect a network trace, in order from older to newer

  1. Network Monitor 3.4 (Netmon) – https://www.microsoft.com/en-us/download/details.aspx?id=4865 (NOTE: Network Monitor is no longer under active development)
  2. Wireshark (v 2.2.2 as of 11/16/16) – https://wireshark.org/#download
  3. Netsh Trace – built-in to operating system
  4. Microsoft Message Analyzer (MMA) (v 1.4 as of 6/13/16) – https://www.microsoft.com/en-us/download/details.aspx?id=44226

Comparison

Network Monitor Wireshark Netsh Trace MMA
Download required Yes Yes No Yes
Received updates No (archived) Frequent No Occasional
GUI Yes Yes No Yes
Command-line Nmcap Dumpcap Netsh trace PowerShell (PEF)
Default format .cap .pcapng .etl .matp
Parsing tool Netmon, Wireshark or MMA Wireshark, MMA or Netmon (when traced saved in tcpdump format) Netmon or MMA (MMA can save in CAP format) MMA (Netmon or Wireshark if saved in CAP format)
Capture multiple points concurrently* No No No Yes
Ability to capture a rolling set of files** Yes** Yes** No No
Promiscuous mode*** Off by default On by default No Off by default
Capture at logon/reboot No No Yes No
Troubleshooting ATA Yes*** No No No

*MMA gives you the ability to setup and collect captures from multiple systems (e.g. client and server) using a single client.

**Wireshark can capture X files of Y size and roll as needed. Network Monitor can capture a chained set of files, but will not overwrite old files and can only be done via command line.

***Network Monitor is currently the only supported tool to install on an Advanced Threat Analytics server.

The basics

Right off the bat, it should become apparent from the above table that one of these options — netsh trace – has one benefit over the others as it is ready to go without any further installation. It does require an elevated command prompt to run, but nothing beyond that. In many environments where change control is strict and the necessary software hasn’t already been installed, this often makes it the only option. Another item to note is that “netsh trace” is a command-line tool and the other three each have command-line alternatives for network captures. Getting a trace that way is often beneficial to eliminate the overhead of the GUI showing data and refreshing in real-time. As pointed out in the table, netsh traces can be opened with Netmon or MMA, but not Wireshark.

When collecting a short-term, simple trace for a set amount of time, there is not much of a difference in capturing with any of the tools. Each will let you create a trace, capture multiple NICs, and define capture rules (typically, please don’t as you may filter out something important). One item to note is regarding promiscuous mode. Be sure to enable it when you are doing port mirroring to allow a computer to capture all traffic on the port — not just the packets destined for its own MAC address.

Requirements

The only one with special requirements is Message Analyzer as certain features (like remote capture) are only possible on Windows 8.1, Server 2012 R2 and newer operating systems.

Instructions

And now the part you’ve been anxiously waiting for, the steps for each solution. I’ll provide both GUI and command line (where applicable) for getting a basic capture.

Network Monitor

GUI

  1. Launch Network Monitor. If you need promiscuous mode to capture traffic that is destined for machines other than the one where the capture is running, check the P-Mode box first, and then click “New Capture.” NOTE: You can select and deselect network adapters if you prefer, but these were the “quick” instructions, remember?

  1. Once you have the new capture open, simply click “Start” to begin tracing and “Stop” after you have captured the data you need. You can then click “Save As” to save the trace before starting your analysis.

  1. If you have applied a display filter or have selected certain frames and only want to retain that subset in a smaller file, you can save just those frames to a file if you wish:

Command Line

  1. Open an elevated command prompt for all of the following steps.
  2. Decide if you want to create multiple chained files of a particular size or if you want a single capture file with a max size of 500 MB.
  3. Run one of the following commands
    1. For chained files – “nmcap /network * /capture /file %computername%.chn:100MB”
      1. This command will create a series of 100MB captures in the current folder (adjust the size as you wish)

    NOTE: Monitor the volume where the traces are being stored to ensure that it doesn’t consume too much diskspace. Due to Wireshark’s ability to have a set number of files, if you are unsure how long the trace must run, Wireshark may be a better solution.

    1. In the above example, the name of the computer will be the name of the files, but you can replace %computername% with whatever you want.

    2. It will capture all network interfaces in the computer.

    3. If you wish to store the captures in a different folder, either run the command from another folder or put the full path before %computername%.chn.

    1. For a single file – “nmcap /network * /capture /file %computername%.cap”
      1. As previously noted, this command will create a single capture with a max size of 500 MB in the current folder.

      2. In the above example, the name of the computer will be the name of the files, but you can replace %computername% with whatever you want.

      3. It will capture all network interfaces in the computer.

      4. If you wish to store the captures in a different folder, either run the command from another folder or put the full path before %computername%.cap

        NOTE: You must keep the command window open while the capture runs.

  1. Once the issue reproduces, use Ctrl+C to stop the capture

Wireshark

GUI

Single File

  1. Launch Wireshark and select the NIC(s) you want to capture.

  1. Click the blue shark fin icon to start the trace.

  1. After reproducing the issue, to stop the capture, click the red stop icon.

  1. Save the file. Note that if you save it in .pcapng format (the default), it can’t be opened in Network Monitor but can be opened in MMA.

Chained Files

  1. If you want to capture multiple files, select Capture – Options (or Ctrl+K):

  1. Select the NIC(s) you want to capture.

  1. Click on the Output tab, enter a path and name for the files. The name will be appended with a file number, the date and time. Select the “Create a new file automatically after” option and then choose a size for each file and for ring buffer, enter the number of files you want to create. In the image below, ten 100 MB files would be created and the oldest file would be overwritten until the capture is stopped.

  1. If you wish to reduce the impact on the computer where the trace is being collected, click the Options tab, then deselect the “Update list of packets in real-time” and “Automatically scroll during live capture” options.

  1. Click the Start button to start the trace. After reproducing the issue, click the red stop icon to terminate the trace.

Command Line

  1. Open an elevated command prompt and switch to the Wireshark directory (usually c:\program files\Wireshark).
  2. From the Wireshark directory, run “dumpcap -D” to get a list of interfaces. You’ll need the interface number in the command to start the capture.
  3. Run “dumpcap -b filesize:100000 -b files:10 -i <interface number from step 2> -w c:\temp\%computername%.pcap”. You can use a different path and filename if you wish. This command will create ten rolling 100 MB captures until the trace is stopped. Adjust those numbers as desired

NOTE: You must keep the command window open until the problem returns.

  1. Once the issue reproduces, use Ctrl+C to stop it.

Netsh Trace

One extra cool thing about “netsh trace” is that by default, it creates a .cab file along with the trace, that contains a bunch of helpful diagnostic information like various settings, event logs, and registry keys.

  1. Open an elevated command prompt and run the command “netsh trace start capture=yes tracefile=c:\temp\%computername%.etl.” You can close the command prompt if you wish.

    NOTE: If you want to capture an issue that occurs during boot or logon, use the “persistent=yes” switch. By doing that, the trace will run through the reboot and can be stopped after logon with the command in step 2. Also, if you don’t want the .cab file, simply add “report=no” to the command in step 1.

  2. Once the issue reproduces, open an elevated command prompt and run the command “netsh trace stop.”

Microsoft Message Analyzer

GUI

MMA is the most powerful and flexible of the network capture tools and fortunately, is the easiest for getting a trace.

  1. Run MMA as an administrator.
  2. Under “Favorite Scenarios,” click “Local Network Interfaces” if you are running Windows 8.1 or 2012 and newer. If you are running Windows 7 or 2008 R2, choose the “Loopback and Unencrypted IPSEC” option. The session will be created and the capture will start.

  1. Once you have reproduced the issue, click the blue stop icon:

Command Line

Command line captures with Message Analyzer are done with the PowerShell PEF module. The fact that it uses PowerShell makes it extremely powerful and flexible for setting up the capture. However, this article is for basic captures so following is the example from https://technet.microsoft.com/en-us/library/dn456526(v=wps.630).aspx. You can always save the following as a script.

$TraceSession01 = NewPefTraceSession Mode Circular Force Path “C:\Traces\Trace01.matu” TotalSize 50 SaveOnStop
AddPefMessageSource PEFSession $TraceSession01 –Source “Microsoft-Pef-WFP-MessageProvider”
StartPefTraceSession PEFSession $TraceSession01

The above script will create a 50 MB capture, overwrites an existing file in that path if it exists and saves the file once the script is stopped.

Conclusion

As you can see, the tools and methods available to collect a network capture are numerous, but this variety enables you to get traces for any situation. You may eventually get to prefer a particular tool for capturing traces and yet another to review them or use more than one to view the same trace. I highly recommend that you become familiar with them all and run through the process prior to the time when you actually need to get a trace. Again, these instructions are basic ones just to get you all information from the computer where the trace runs. There’s a plethora of options and capabilities for the tools, so feel free to dig in! I’ll include some helpful links below so you can continue your learning. Good luck!

Additional Information

  1. To learn more about your nmcap options, enter “nmcap /?” or “nmcap /examples”
  2. Wireshark training can be found at https://www.wireshark.org/#learnWS.
  3. For more information on Message Analyzer, check out the blog at https://blogs.technet.microsoft.com/messageanalyzer/.
  4. Message Analyzer training videos can be found at https://www.youtube.com/playlist?list=PLszrKxVJQz5Uwi90w9j4sQorZosTYgDO4.
  5. Message Analyzer Operating Guide – https://technet.microsoft.com/en-us/library/jj649776.aspx
  6. Information on the Message Analyzer PowerShell module can be found at https://technet.microsoft.com/en-us/library/dn456518(v=wps.630).aspx.
  7. Remote captures with MMA – https://blogs.technet.microsoft.com/messageanalyzer/2013/10/17/remote-capture-with-message-analyzer-and-windows-8-1/

NOTE: This articles references a 3rd party product. 3rd party products are not supported under any Microsoft standard support program or service. The information here is provided AS IS without warranty of any kind. Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of these solutions remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use this documentation, even if Microsoft has been advised of the possibility of such damages.

Michael Rendino

Senior Premier Field Engineer