Packet Capture with Netsh Trace: A PowerShell Guide

Published:30 June 2019 - 1 min. read

Have you ever had a need to do a quick packet capture on something but didn’t want to mess with installing Wireshark or Netmon? You’re in luck! Today, I decided to PowerShellify netsh trace and build a method to kick off a packet capture via netsh.

In this script there are two functions; Start-PacketCapture and Stop-PacketCapture. Both are very simple functions that just act as wrappers around the netsh commands with a little bit of validation in there.

Related: PowerShell Functions: Introduction

Let’s say you’re having some problems with network connectivity on your local machine and want to quickly fire up a packet capture. Download the PS1 file I’ve created with the functions inside and dot source it. This will get both functions in your current session.

.\PacketCapture.ps1

Once you do this, you can then start the packet capture.

Start-PacketTrace C:\SomeTraceFile.etl

The function then invokes netsh trace and once it releases control back to your console the trace is started. You can confirm by viewing the size of C:\SomeTraceFile.etl. Replicate what you want to do and then stop the packet capture.

Stop-PacketTrace

You should now have recorded all network activity in the C:\SomeTraceFile.etl file.

Pretty cool, huh? Well, if you try to open the ETL file up in Wireshark it’s not going to work out of the box. It will first need to be converted to do so. I haven’t automated that yet but it can be done using the netsh trace output. These two functions can be built upon also. If this isn’t enough for you feel free to steal it and make it better!

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!