Have you ever had a need to do a quick packet capture on something but didn't want to mess with installing Wireshark or Netmon? You're in luck! Today, I decided to PowerShellify the method to kick off a packet capture via netsh.

In this script there are two functions; Start-PacketCapture and Stop-PacketCapture. Both are very simple functions that just act as wrappers around the netsh commands with a little bit of validation in there.

Let's say you're having some problems with network connectivity on your local machine and want to quickly fire up a packet capture. Download the PS1 file I've created with the functions inside and dot source it. This will get both functions in your current session.

.\PacketCapture.ps1

Once you do this, you can then start the packet capture.

Start-PacketTrace C:\SomeTraceFile.etl

Give this a second to get the trace setup and once it releases control back to your console the trace is started. You can confirm by viewing the size of C:\SomeTraceFile.etl. Replicate what you want to do and then stop the packet capture.

Stop-PacketTrace

You should now have recorded all network activity in the C:\SomeTraceFile.etl file.

Pretty cool, huh? Well, if you try to open the ETL file up in Wireshark it's not going to work out of the box. It will first need to be converted to do so. I haven't automated that yet but it can be done. These two functions can be built upon also. If this isn't enough for you feel free to steal it and make it better!

Join the Jar Tippers on Patreon

It takes a lot of time to write detailed blog posts like this one. In a single-income family, this blog is one way I depend on to keep the lights on. I'd be eternally grateful if you could become a Patreon patron today!

Become a Patron!