How to capture a network trace from a remote computer

To start any troubleshooting case, I always ask for two things. I ask for a Process Monitor trace, which you can get remotely by following this blog post, and a network trace. In this article, I will show you how to get a network trace from a remote computer without installing Wireshark or something similar on it.
Latest posts by Sami Laiho (see all)

This process requires that the remote computer has Windows 7 or higher and that you can run PSEXEC.exe on it (available at Sysinternals). You could do the same with PowerShell remoting as well. Anything that can launch a process on the remote computer will do.

First, we need to start the trace on the remote computer. We will do this with the following command:

You can alter what gets captured and how much data can be captured. In this example, we trace between two IP addresses, only on IPv4 and using a circular log with a maximum size of 512 MB.

Next, we will just generate some traffic to fill our trace using Ping.exe.

Starting a remote network trace with PSEXEC.exe and NETSH.exe

Starting a remote network trace with PSEXEC.exe and NETSH.exe

Next, we need to stop the trace on the remote computer with:

Reproducing the problem; in this case, we just use Ping to demonstrate

Reproducing the problem; in this case, we just use Ping to demonstrate

Now we need to copy over the trace file with a command such as this, for example:

Copying the trace file from the remote computer

Copying the trace file from the remote computer

If you still have Message Analyzer (it's been deprecated), you can now open the trace file locally. If you don't or you just prefer to use Wireshark, follow along.

Capture file opened in Message Analyzer

Capture file opened in Message Analyzer

If you have Message Analyzer but prefer to use Wireshark, you can export the file to another format.

Exporting the capture file from Message Analyzer

Exporting the capture file from Message Analyzer

And then you can open it in Wireshark.

Exported trace file opened in Wireshark

Exported trace file opened in Wireshark

If you don't have Message Analyzer, you should head for the conversion tool on Github.

Downloading etl2pcapng.exe to convert the trace

Downloading etl2pcapng.exe to convert the trace

The syntax is simple:

Using Etl2pcapng.exe to convert the trace to PCAPNG format

Using Etl2pcapng.exe to convert the trace to PCAPNG format

Now you can open it again in Wireshark.

Opening a PCAPNG trace in Wireshark

Opening a PCAPNG trace in Wireshark

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

7+
avataravataravatar
Share
1 Comment
  1. Massimo 4 months ago

    Thank you, very interesting

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account