How-to: Network analysis of windows clients also at boot time

How to do network analysis of windows clients also at boot time.

Setting up build in network monitoring in windows

Step 1: Setup network logging

  • normal boot PC
  • Log in as Administrator and open CMD prompt as Administrator
  • Enter:
    C:\Users\Administrator> netsh trace start capture=yes tracefile=c:%computername%.etl persistent=yes
    (You can apply filters to the netsh trace. Take a look to the Microsoft documentation for closer informations.)
  • Quit CMD and reboot.

Step 2: Testing

You can now do your tests.

Step 3: Deactivate network logging

  • Login as Administrator and open CMD prompt as Administrator
  • Enter:
    C:\Users\Administrator> netsh trace stop

After stopping the netsh trace a report will be generated in C:\ (or your given path)
The files .cab and .etl are relevant.

To read the etl file you can use Microsoft Network Analyzer !archived version! or etl2pcap to convert etl to pcapng that can be read by wireshark

This topic was automatically closed after 24 hours. New replies are no longer allowed.