First published on TechNet on Dec 27, 2016
Hi everyone. This is Michael Rendino, a Premier Field Engineer from Charlotte, NC and former member of the CTS networking support team. With my networking background, I have spent years reviewing network captures. One thing I always run into with my customers is that they often don't know the best or easiest solution to get a network capture. There are many solutions you can use and choosing the right one often depends on the scenario. While colleagues have created blogs on getting a trace with a single tool, I wanted to provide a location that someone can bookmark to be a single set of instructions for a number of solutions. Please note that when reviewing traces, you can use one or more of these tools and aren't necessarily tied to what was used to collect the trace.
First, let's cover each of the tools that can be used to collect a network trace, in order from older to newer
Network Monitor | Wireshark | Netsh Trace | MMA | |
Download required | Yes | Yes | No | Yes |
Received updates | No (archived) | Frequent | No | Occasional |
GUI | Yes | Yes | No | Yes |
Command-line | Nmcap | Dumpcap | Netsh trace | PowerShell (PEF) |
Default format | .cap | .pcapng | .etl | .matp |
Parsing tool | Netmon, Wireshark or MMA | Wireshark, MMA or Netmon (when traced saved in tcpdump format) | Netmon or MMA (MMA can save in CAP format) | MMA (Netmon or Wireshark if saved in CAP format) |
Capture multiple points concurrently* | No | No | No | Yes |
Ability to capture a rolling set of files** | Yes** | Yes** | No | No |
Promiscuous mode*** | Off by default | On by default | No | Off by default |
Capture at logon/reboot | No | No | Yes | No |
Troubleshooting ATA | Yes*** | No | No | No |
*MMA gives you the ability to setup and collect captures from multiple systems (e.g. client and server) using a single client. **Wireshark can capture X files of Y size and roll as needed. Network Monitor can capture a chained set of files, but will not overwrite old files and can only be done via command line. ***Network Monitor is currently the only supported tool to install on an Advanced Threat Analytics server.
Right off the bat, it should become apparent from the above table that one of these options -- netsh trace – has one benefit over the others as it is ready to go without any further installation. It does require an elevated command prompt to run, but nothing beyond that. In many environments where change control is strict and the necessary software hasn't already been installed, this often makes it the only option. Another item to note is that "netsh trace" is a command-line tool and the other three each have command-line alternatives for network captures. Getting a trace that way is often beneficial to eliminate the overhead of the GUI showing data and refreshing in real-time. As pointed out in the table, netsh traces can be opened with Netmon or MMA, but not Wireshark. When collecting a short-term, simple trace for a set amount of time, there is not much of a difference in capturing with any of the tools. Each will let you create a trace, capture multiple NICs, and define capture rules (typically, please don't as you may filter out something important). One item to note is regarding promiscuous mode. Be sure to enable it when you are doing port mirroring to allow a computer to capture all traffic on the port -- not just the packets destined for its own MAC address.
The only one with special requirements is Message Analyzer as certain features (like remote capture) are only possible on Windows 8.1, Server 2012 R2 and newer operating systems.
And now the part you've been anxiously waiting for, the steps for each solution. I'll provide both GUI and command line (where applicable) for getting a basic capture.
Single File
Chained Files
NOTE: You must keep the command window open until the problem returns.
One extra cool thing about "netsh trace" is that by default, it creates a .cab file along with the trace, that contains a bunch of helpful diagnostic information like various settings, event logs, and registry keys.
MMA is the most powerful and flexible of the network capture tools and fortunately, is the easiest for getting a trace.
Command line captures with Message Analyzer are done with the PowerShell PEF module. The fact that it uses PowerShell makes it extremely powerful and flexible for setting up the capture. However, this article is for basic captures so following is the example from https://technet.microsoft.com/en-us/library/dn456526(v=wps.630).aspx . You can always save the following as a script. $TraceSession01 = New - PefTraceSession - Mode Circular - Force - Path "C:\Traces\Trace01.matu" - TotalSize 50 - SaveOnStop Add - PefMessageSource - PEFSession $TraceSession01 –Source "Microsoft-Pef-WFP-MessageProvider" Start - PefTraceSession - PEFSession $TraceSession01 The above script will create a 50 MB capture, overwrites an existing file in that path if it exists and saves the file once the script is stopped.
As you can see, the tools and methods available to collect a network capture are numerous, but this variety enables you to get traces for any situation. You may eventually get to prefer a particular tool for capturing traces and yet another to review them or use more than one to view the same trace. I highly recommend that you become familiar with them all and run through the process prior to the time when you actually need to get a trace. Again, these instructions are basic ones just to get you all information from the computer where the trace runs. There's a plethora of options and capabilities for the tools, so feel free to dig in! I'll include some helpful links below so you can continue your learning. Good luck!
NOTE: This articles references a 3rd party product. 3rd party products are not supported under any Microsoft standard support program or service. The information here is provided AS IS without warranty of any kind. Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of these solutions remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use this documentation, even if Microsoft has been advised of the possibility of such damages. Michael Rendino Senior Premier Field Engineer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.