Have you ever had a need to do a quick packet capture on something but didn’t want to mess with installing Wireshark or Netmon? You’re in luck! Today, I decided to PowerShellify netsh trace and build a method to kick off a packet capture via netsh.
In this script there are two functions; Start-PacketCapture and Stop-PacketCapture. Both are very simple functions that just act as wrappers around the netsh commands with a little bit of validation in there.
Related: PowerShell Functions: Introduction
Let’s say you’re having some problems with network connectivity on your local machine and want to quickly fire up a packet capture. Download the PS1 file I’ve created with the functions inside and dot source it. This will get both functions in your current session.
.\PacketCapture.ps1Once you do this, you can then start the packet capture.
Start-PacketTrace C:\SomeTraceFile.etlThe function then invokes netsh trace and once it releases control back to your console the trace is started. You can confirm by viewing the size of C:\SomeTraceFile.etl. Replicate what you want to do and then stop the packet capture.
Stop-PacketTraceYou should now have recorded all network activity in the C:\SomeTraceFile.etl file.
Pretty cool, huh? Well, if you try to open the ETL file up in Wireshark it’s not going to work out of the box. It will first need to be converted to do so. I haven’t automated that yet but it can be done using the netsh trace output. These two functions can be built upon also. If this isn’t enough for you feel free to steal it and make it better!
