How to capture Network Traffic on Server without NetMon, Wireshark.. Installation

A while ago I wanted to analyse network traffic on particular Server. I want my server environment clean and neat so I try to avoid installing third party software on Servers. Besides installing third party software might require Server Reboot. And usually we do not want to reboot server during working hours.

I asked myself is it possible to do a network trace without installation of third party network tools? Yes it is! If you want to learn more I suggest you to read this post.

When I Started surfing on the waves of internet I found Great Paul Adams post. So this is how we do it..

Lets take a simple example. We want to see DNS query of our client:

Capture traffic

1. Open CMD in elevated mode and Run:
2. netsh trace start capture=yes tracefile=c:\CaptureTraffic.etl
3. Generate traffic… (nslookup
4. netsh trace stop


Yes that is it! No need to install third party tools just trace with netsh and we have a trace file to analyse

To analyse captured traffic copy .etl trace file to your computer and open it in Network Monitor. If you do not have NetMon on your computer here is where to get it.


1. First we have to Set NetMon. So we go to:
Tools => Options => Parser Profiles (Tab) => Select: Windows parser  => Set As Active
2. Open .ETL file with Network Monitor (File => Open => Capture => Select CaptureTraffic.etl)
3. Now we can start with analysis..

An here we have our nslookup query:


If you are using NetMon for other purposes I suggest you set profile back To Default when you are done with Analysis.

Isn’t this Great! Oh, and there is more:

1. If you want to capture network on System boot simply add: “persistent=yes” to the netsh command. When you log on after reboot you can just Stop the trace as seen above.
2. When doing a trace there is also .CAB file produced which contains various configuration diagnostics files.
3. The ETL format trace will give you a system configuration summary in the first conversation, process name PID associated with each frame. So it provides more than just a pure traffic trace..
4. If you want to save .ETL file as regular NetMon .CAP file feel free to do so.

I found this post a while ago. Yesterday I was explaining to one of my coworkers “how we can capture traffic without third party tools installation”. So this one is for you my friend 😉

Thanks Paul for sharing this information. Here is a link to original article. I am just a messenger 🙂

This entry was posted in Network, SNMP, Troubleshooting and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s