Home
%3CLINGO-SUB%20id%3D%22lingo-sub-376503%22%20slang%3D%22en-US%22%3ECapture%20a%20Network%20Trace%20without%20installing%20anything%20(%26amp%3B%20capture%20a%20network%20trace%20of%20a%20reboot)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376503%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EIf%20you%20need%20to%20capture%20a%20network%20trace%20of%20a%20client%20or%20server%20without%20installing%20Wireshark%20or%20Netmon%20this%20might%20be%20helpful%20for%20you.%20(This%20feature%20works%20on%20Windows%207%2F2008%20R2%26nbsp%3Band%20above).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E%3CSTRONG%3EThe%20short%20version%3A%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E1.%20Open%20an%20elevated%20command%20prompt%20and%20run%3A%20%22%3CSPAN%20style%3D%22color%3A%20%23ff0000%3B%22%3Enetsh%20trace%20start%20persistent%3Dyes%20capture%3Dyes%20tracefile%3Dc%3A%5Ctemp%5Cnettrace-boot.etl%3C%2FSPAN%3E%22%20(make%20sure%20you%20have%26nbsp%3Ba%20%5Ctemp%20directory%20or%20choose%20another%20location).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E2.%20Reproduce%20the%20issue%20or%20do%20a%20reboot%20if%20you%20are%20tracing%20a%20slow%20boot%20scenario.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E3.%20Open%20an%20elevated%20command%20prompt%20and%20run%3A%20%22%3CSPAN%20style%3D%22color%3A%20%23ff0000%3B%22%3Enetsh%20trace%20stop%3C%2FSPAN%3E%22%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EYour%20trace%20will%20be%20stored%20in%20c%3A%5Ctemp%5Cnettrace-boot.etl**or%20where%20ever%20you%20saved%20it.%20You%20can%20view%20the%20trace%20on%20another%20machine%20using%20netmon.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSTRONG%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EThe%20longer%20version%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3EI%20%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3Ewill%20do%20this%20trace%20for%20a%20slow%20boot%20scenario%20-%20it%20works%20fine%20for%20non%20reboot%20scenarios%20too%2C%20just%20reproduce%20the%20issue%20and%20then%20stop%20the%20trace.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E1.%20Open%20an%20elevated%20command%20prompt%20and%20run%3A%20%22%3CSPAN%20style%3D%22color%3A%20%23ff0000%3B%22%3Enetsh%20trace%20start%20persistent%3Dyes%20capture%3Dyes%20tracefile%3Dc%3A%5Ctemp%5Cnettrace-boot.etl%3C%2FSPAN%3E%22%20(make%20sure%20you%20have%26nbsp%3Ba%20%5Ctemp%20directory%20or%20choose%20another%20location).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20686px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F93604i095423C1140B89E6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%221.JPG%22%20title%3D%221.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E2.%20Reboot%20the%20client%20machine.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E3.%20Log%20on%20and%20stop%20the%20trace%20using%3A%20%22%3CSPAN%20style%3D%22color%3A%20%23ff0000%3B%22%3Enetsh%20trace%20stop%3C%2FSPAN%3E%22%20(from%20an%20elevated%20prompt).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20695px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F93605i12CC98F23310EEAC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%224721_stop-trace.JPG%22%20title%3D%224721_stop-trace.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EIf%20you%20forget%20to%20elevate%20the%20prompt%20you%20will%20get%20this%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20686px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F93606iE6224989607FB93E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%223.JPG%22%20title%3D%223.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3ENow%20that%20you%20have%20the%20trace%2C%20you%20can%20take%20it%20to%20a%20machine%20where%20installing%20netmon%20is%20more%20appropriate%20to%20view%20the%20data.%20For%20customers%2C%20I%20capture%20using%20the%20netsh%20switch%20then%20get%20permission%20to%20view%20the%20data%20on%20my%20machine%20where%20I%20have%20netmon%20installed.%20Netmon%20allows%20us%20to%20choose%20.etl%20as%20a%20file%20to%20open%20as%20if%20it%20was%20an%20.cap%20file%20from%20a%20traditional%20trace.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EWhen%20you%20open%20the%20file%20you%20might%20find%20that%20it%20looks%20a%20bit%20rubbish%20at%20first%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F93607i1685C1A07C0A00CE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%224.JPG%22%20title%3D%224.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EAll%20you%20need%20to%20do%20is%20go%20to%20the%20tools%20%26gt%3B%20options%20tab%20so%20that%20you%20can%20tell%20netmon%20which%20parsers%20to%20use%20to%20convert%20the%20trace%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20441px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F93608iF607581BBF3A5F0E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%225.JPG%22%20title%3D%225.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EChoose%20the%20Windows%20parsers%20and%20dont%20forget%20to%20click%20%22set%20as%20active%22%20before%20you%20click%20OK%20or%20nothing%20will%20happen.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3ENow%20the%20output%20is%20ready%20for%20you%20to%20analyse%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F93609iFDBB7AE65D710E0C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%226.JPG%22%20title%3D%226.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EI%20can%20see%20above%2C%20the%20DHCP%20discover%20packets%20have%20been%20parsed%20correctly%20(and...%20that%20we%20arnt%20getting%20a%20response%20from%20a%20DHCP%20server%20).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EThat's%20about%20all%20there%20is%20to%20it.%20Hope%20this%20is%20useful%20for%20you.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3EAuthor%3A%20Chad%20Duffey%20%5BMSFT%5D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3ETech%20Reviewed%3A%20Enamul%20Khaleque%20%5BMSFT%5D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20color%3A%20black%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

If you need to capture a network trace of a client or server without installing Wireshark or Netmon this might be helpful for you. (This feature works on Windows 7/2008 R2 and above).

The short version:

1. Open an elevated command prompt and run: "netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl" (make sure you have a \temp directory or choose another location).

2. Reproduce the issue or do a reboot if you are tracing a slow boot scenario.

 

3. Open an elevated command prompt and run: "netsh trace stop"

 

Your trace will be stored in c:\temp\nettrace-boot.etl**or where ever you saved it. You can view the trace on another machine using netmon.

 

The longer version:

I will do this trace for a slow boot scenario - it works fine for non reboot scenarios too, just reproduce the issue and then stop the trace.

 

1. Open an elevated command prompt and run: "netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl" (make sure you have a \temp directory or choose another location).

 

1.JPG

 

2. Reboot the client machine.

 

3. Log on and stop the trace using: "netsh trace stop" (from an elevated prompt).

 

4721_stop-trace.JPG

 

If you forget to elevate the prompt you will get this:

 

3.JPG

 

Now that you have the trace, you can take it to a machine where installing netmon is more appropriate to view the data. For customers, I capture using the netsh switch then get permission to view the data on my machine where I have netmon installed. Netmon allows us to choose .etl as a file to open as if it was an .cap file from a traditional trace.

 

When you open the file you might find that it looks a bit rubbish at first:

 

4.JPG

 

All you need to do is go to the tools > options tab so that you can tell netmon which parsers to use to convert the trace:

 

5.JPG

 

Choose the Windows parsers and dont forget to click "set as active" before you click OK or nothing will happen.

 

Now the output is ready for you to analyse:

 

6.JPG

 

I can see above, the DHCP discover packets have been parsed correctly (and... that we arnt getting a response from a DHCP server ).

 

That's about all there is to it. Hope this is useful for you. 

 

Author: Chad Duffey [MSFT]

Tech Reviewed: Enamul Khaleque [MSFT]