How to do network analysis of windows clients also at boot time.
Setting up build in network monitoring in windows
Step 1: Setup network logging
- normal boot PC
- Log in as Administrator and open CMD prompt as Administrator
- Enter:
C:\Users\Administrator> netsh trace start capture=yes tracefile=c:%computername%.etl persistent=yes
(You can apply filters to the netsh trace. Take a look to the Microsoft documentation for closer informations.) - Quit CMD and reboot.
Step 2: Testing
You can now do your tests.
Step 3: Deactivate network logging
- Login as Administrator and open CMD prompt as Administrator
- Enter:
C:\Users\Administrator> netsh trace stop
After stopping the netsh trace a report will be generated in C:\ (or your given path)
The files .cab and .etl are relevant.
To read the etl file you can use Microsoft Network Analyzer !archived version! or etl2pcap to convert etl to pcapng that can be read by wireshark