Capturing Network Traffic on Windows 7 and Windows 2008R2

A co-worker of mine recently discovered a very cool feature in Windows 7 and Windows 2008R2. Most people in the computer field already know that if you want to do a network capture, you usually need some kind of tool installed on the OS such as Wireshark or Microsoft Network Monitor. However, he discovered that you can actually capture network traffic directly from the OS. For more information, see http://msdn.microsoft.com/en-us/library/dd569142(v=vs.85).aspx

How to start Capturing Traffic

  1. Run an elevated CMD window as administrator
  2. Type in NETSH TRACE START CAPTURE=YES TRACEFILE=c:\temp\mynetworkcapture.etl
  3. At this point, you will be capturing traffic for that box.

How to Stop Capturing Traffic

  1. Run an elevated CMD window as administrator
  2. Type in NETSH TRACE STOP

How to Analyze the Network Capture File

  1. Copy the trace file that was created to a machine with Microsoft Network Monitor 3.4 or Wireshark installed.
  2. If you are opening the trace file in Microsoft Network Monitor 3.4, make sure the parsers are set to WINDOWS profile.

My co-worker thought this was the best thing since sliced bread!