Start and Stop a Packet Capture from PowerShell

Adam Bertram

Adam Bertram

Read more posts by this author.

Have you ever had a need to do a quick packet capture on something but didn’t want to mess with installing Wireshark or Netmon? You’re in luck! Today, I decided to PowerShellify the method to kick off a packet capture via netsh.

In this script there are two functions; Start-PacketCapture and Stop-PacketCapture. Both are very simple functions that just act as wrappers around the netsh commands with a little bit of validation in there.

Let’s say you’re having some problems with network connectivity on your local machine and want to quickly fire up a packet capture. Download the PS1 file I’ve created with the functions inside and dot source it. This will get both functions in your current session.

.\PacketCapture.ps1

Once you do this, you can then start the packet capture.

Start-PacketTrace C:\SomeTraceFile.etl

Give this a second to get the trace setup and once it releases control back to your console the trace is started. You can confirm by viewing the size of C:\SomeTraceFile.etl. Replicate what you want to do and then stop the packet capture.

Stop-PacketTrace

You should now have recorded all network activity in the C:\SomeTraceFile.etl file.

Pretty cool, huh? Well, if you try to open the ETL file up in Wireshark it’s not going to work out of the box. It will first need to be converted to do so. I haven’t automated that yet but it can be done. These two functions can be built upon also. If this isn’t enough for you feel free to steal it and make it better!

Subscribe to Adam the Automator

Get the latest posts delivered right to your inbox

Looks like you're offline!