Capturing network traffic in Windows 7 / Server 2008 R2

  • Article

Previously a capture filter driver had to be loaded in order to intercept and record all the packets passing through network interfaces (think WinPcap & NetMon filter drivers).

Now, the ability to create a network trace is in-box with Windows 7 & Server 2008, without even a reboot required!

It is covered in detail over at the Network Monitor blog, but the key bits I will cover here as it’s so simple…

 

In the most basic form, this is how you start capturing all network traffic on the machine with the default settings:
netsh trace start capture=yes

An example of the output from this command:
Trace configuration:
-------------------------------------------------------------------
Status: Running
Trace File: C:\Users\padams\AppData\Local\Temp\NetTraces\NetTrace.etl
Append: Off
Circular: On
Max Size: 250 MB
Report: Off

As you can see, the default here is a 250MB circular buffer and the file is stored in a a temp folder in the user profile.

 

To later stop recording:
netsh trace stop

This performs some cleanup operations and then reports something like this:
Correlating traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as
"C:\Users\padams\AppData\Local\Temp\NetTraces\NetTrace.cab".
File location = C:\Users\padams\AppData\Local\Temp\NetTraces\NetTrace.etl
Tracing session was successfully stopped.

The .CAB file produced contains various configuration diagnostics files, and the .ETL file is the trace file… with a little extra.

 

NetMon 3.2 and later is able to open the .ETL file, but in order to make sense of the data you need to tweak a couple of things…

With NetMon installed, download the Network Monitor Open Source Parsers package and install it.

Launch NetMon, then click on Tools / Options and select the Parser tab.

Select the Windows parser, click the Stubs button (to toggle “Stub” to “Full”).

Click the up arrow then the down arrow, then click Save and Reload Parsers, then click OK.

 

Now you can load your .ETL files created with netsh and the conversations should be readable – if you want to save the file as a regular NetMon .CAP file, you can of course do so.

The ETL format trace will give you a system configuration summary in the first conversation, and the process name and PID associated with each frame, so it provides more than just a pure traffic trace and takes some of the guesswork out of network trace analysis.

If you need to take a trace of the system starting up, you can add “persistent=yes” on the netsh line starting the trace – as soon as you log on you can stop the trace and save the file.