Event based network trace collection-using powershell

This  post is like new version of my old post

In this example I m using event id 1502 that gets generated when gpupdate completes successfully. This is an event you can generate on a domain joined machine by running gpupdate /force . so to test that's what I do. In sequential order, the powershell script and batch file are copied in my netmon installation folder in program files in my test lab. I first clean any pre-existing 1502 event from my system event log to test my script. Then I run  following power shell command. then I run my batch file, which basically starts network captures , which will stop the moment it sees ping frame of Powershell script is looking for event from today's date onwards for source event type "Microsoft-Windows-GroupPolicy"  and event 1502. So if that event occurs, it will send ping as in $Cmdone = "Test-Connection"

which is a fake IP address and that's what my batch file is waiting for to stop the network traces. end result is that you have network trace just at the moment of event.

Power shell script that will look for event is below

______Copy from below and save it as stopnmcap.ps1 on a particular location on your system_____________________________________________

# Flag to control while loop

$Flag = 1

# to stop the Netmon

$Cmdone = "Test-Connection"

"Press Ctrl+C anytime to stop this script"

"Started Monitoring the event"



$checkevent = Get-EventLog -LogName System -EntryType Information -After 08/6/2016 -Source "Microsoft-Windows-GroupPolicy" | Where-Object {$_.EventID -eq 1502}



Write-Host "got the event, Stopping network trace ...."

$Flag = 0

Start-Sleep -s 5

Invoke-Expression $Cmdone




$Flag = 1

Write-Host "no events yet but keep looking"


Start-Sleep -s 10


"Press any key to stop"



Batch file to start the nmcap to capture the network traces.

****************copy from below and save it as nmtrace.bat**************************************************************************

@echo off

REM Following line is wrapped
start cmd.exe /c nmcap /network * /capture /file %1 /stopwhen /frame "ipv4.DestinationAddress==" /DisableConversations


Comments (3)

  1. tony says:

    why not use netsh trace instead of nmcap?

    1. Hi tony, that’s a brilliant Idea, i will try and use that as well, thanks for bringing that up.

  2. so tony for netsh trace, a user can use
    Netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=yes traceFile=C:\Logs\NetTrace.etl within the batch file above and in powershell you need to put $cmdone= “net trace stop” to stop the trace when the event happens.

    in this scenario , you need to keep an eye on the resultant etl file , in case of nmcap it create new file after certain size which also can be configured.

Skip to main content