How to capture a network trace from a remote computer

• Author
• Recent Posts

Sami Laiho

Sami Laiho has been a Microsoft Most Valuable Professional (MVP) since 2011 and one of the world's leading IT experts for Windows and security. He has been teaching OS troubleshooting, management, and security since 1996. In 2019 TiVi-magazine chose Sami as one of the top 100 influencers in IT in Finland. For more info, go to https://samilaiho.com.

Latest posts by Sami Laiho (see all)

• Hardening AppLocker - Thu, Jun 25 2020
• AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
• Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020

This process requires that the remote computer has Windows 7 or higher and that you can run PSEXEC.exe on it (available at Sysinternals). You could do the same with PowerShell remoting as well. Anything that can launch a process on the remote computer will do.

First, we need to start the trace on the remote computer. We will do this with the following command:

PSEXEC -d \\DEMOCLIENT1 netsh trace start capture=yes tracefile=c:\temp\capture.etl maxsize=512 filemode=circular overwrite=yes report=no correlation=no IPv4.SourceAddress=(192.168.0.10,192.168.0.11) IPv4.DestinationAddress=(192.168.0.10,192.168.0.11) Ethernet.Type=IPv4

You can alter what gets captured and how much data can be captured. In this example, we trace between two IP addresses, only on IPv4 and using a circular log with a maximum size of 512 MB.

Next, we will just generate some traffic to fill our trace using Ping.exe.

Starting a remote network trace with PSEXEC.exe and NETSH.exe

Next, we need to stop the trace on the remote computer with:

PSEXEC -d \\DEMOCLIENT1 netsh trace stop

Reproducing the problem; in this case, we just use Ping to demonstrate

Now we need to copy over the trace file with a command such as this, for example:

XCOPY \\DEMOCLIENT1\C$\Temp\capture.etl c:\temp

Copying the trace file from the remote computer

If you still have Message Analyzer (it's been deprecated), you can now open the trace file locally. If you don't or you just prefer to use Wireshark, follow along.

Capture file opened in Message Analyzer

If you have Message Analyzer but prefer to use Wireshark, you can export the file to another format.

Exporting the capture file from Message Analyzer

And then you can open it in Wireshark.

Exported trace file opened in Wireshark

If you don't have Message Analyzer, you should head for the conversion tool on Github.

Downloading etl2pcapng.exe to convert the trace

The syntax is simple:

Etl2pcapng.exe c:\temp\capture.etl c:\temp\capture.pcapng

Using Etl2pcapng.exe to convert the trace to PCAPNG format

Now you can open it again in Wireshark.

Opening a PCAPNG trace in Wireshark