2

I am trying to capture all network traffic and view it in a human-readable way.

To begin packet capture with netsh, I am running the following command.

netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=yes traceFile=net-trace.etl

I then use QuickPHP to host a form that takes a username and password and posts it to itself. The trace is then stopped with netsh trace stop.

To inspect the captured traffic, the following command is run.

netsh trace convert input=net-trace.etl output=net-trace-dump.txt dump=txt

When I read the dumped traffic, the entries are unintelligible and I cannot see the traffic to the QuickPHP server on 127.0.0.1. Additionally, when I import the .etl file into Microsoft Network Monitor, the traffic is clumped into a single clump and the QuickPHP traffic still cannot be found.

I have been able to run a capture with Microsoft Network Monitor and see the QuickPHP traffic.

How can NETSH be used to capture the network traffic and viewed, either in a dumped text file or Microsoft Network Monitor, in a similar way to a capture from Microsoft Network Monitor?

Thank you very much in advance for your help!

jsc
  • 145
  • 1
  • 2
  • 9

1 Answers1

3

Just use netsh trace start capture=yes without any of the other stuff. This gets you just a basic packet capture that you can view in Network Monitor.

You don't need to use the ETW providers like NetConnection unless you're troubleshooting a Windows Filtering Platform problem or something.

You don't need the convert command at all.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Thanks for your answer Ryan! That's good to know about the ETW providers, however the collected trace is still a unordered mess and I can't find traffic to the QuickPHP server. – jsc Jul 06 '17 at 00:57
  • I've found the traffic, stripping back the command worked. Thanks again! – jsc Jul 06 '17 at 01:11