Wireshark or Netsh Trace?

Wireshark is often the preferred method of doing network captures. However, what if security posture will not allow installing Wireshark on a production server? In this case, we can use the NETSH TRACE command built into Windows. This command works on all Windows machines both client and server.


Consider which machine will receive the network communication that you wish to capture. If a client is unable to connect to a server via SSL, you usually want to capture the SSL handshake which is best done from the client machine. If the issue is in between server components, you will want to capture the traffic from the server.

Here is how to run the command.

  1. Run the command prompt as administrator

  2. Type: netsh trace start capture=yes Note the path to the capture file.

  3. Reproduce the issue that we wish to capture.

  4. Type: netsh trace stop.

  5. This file can be read with Microsoft NetMon or its replacement Microsoft Message Analyzer.

  6. Zip up the file and attach to your case.

Never have I ever went to test my change in Dev bu...
Setting a default value for the Task Template in R...

Comments 2

Brian Amos on Friday, 15 April 2016 10:01

Very cool Dave thanks for sharing.

Very cool Dave thanks for sharing.
cs joshi on Monday, 24 July 2017 23:45

Recent Tweets