If you need to do a network packet capture trace and you do not want to install Wireshark or you wish to use the windows version of this, then you can do this using this command:
Warning : Traces captured will contain sensitive information and will be consider a GDPR type file and the security around them needs to be taken into account, for example if you are running this on a domain controller it will expose lots of sensitive data.
This will start the trace for all traffic:
netsh trace start capture=yes tracefile=C:\temp\alltrace.etl maxsize=6024 filemode=circular
If you are only interested in a certain source IP you can use this:
netsh trace start capture=yes IPv4.Address=12,345.11.44 tracefile=C:\temp\sourcetrace.etl maxsize=6024 filemode=circular
This will stop the trace when you are done with this, and it will compile and merge it:
netsh trace stop
That should look like this in the flesh so to speak:
https://github.com/microsoft/etl2pcapng/
Once complete and merged you will end up with two files, you will have a ETL and CAB file
We need the ETL file, but this cannot be opended in Wireshark as its in the wrong format so for that you need ETL2PCAPNG which will take an ETL and covert this into a PCAPNG, you can get this from here of which you will need to compile this file for it to work in Windows.
etl2pcapng.exe dnstrace.etl wireshark.pcapng
This should look like this:
Then you should now see the pcapng file in the folder:
