When troubleshooting network-related issues, capturing a network trace can be incredibly helpful. However, installing additional software or tools can sometimes be a barrier on production or completely locked down machines. Fortunately, there’s a built-in way to capture a network trace on Windows without installing any softwares locally.

Using the Built-in netsh Command

The netsh command is a powerful tool that allows you to configure and troubleshoot network settings on Windows. One of its lesser-known features is the ability to capture a network trace.

To capture a network trace using netsh, follow these steps:

1. Open the Command Prompt as an administrator. To do this, right-click on the Start button and select “Command Prompt (Admin)”.

2. Type the following command and press Enter:

   1 2 3 4

   netsh trace start capture=yes # OR netsh trace start capture=yes tracefile=%temp%\nettrace.etl maxsize=20 # Creates nettrace.etl file in temp directory with max size of 20 MB.

   This will start capturing network traffic. You can let it run for as long as you need to capture the traffic you’re interested in.

3. To stop the capture, type the following command and press Enter:

   1	netsh trace stop

   This will save the captured traffic to a file called nettrace.etl in the current directory or in the directory you specified if you used tracefile parameter.

Analyzing the Captured Traffic

The captured traffic is saved in a file called nettrace.etl. This file can be opened using tools like Microsoft Network Monitor or Wireshark. Copy this file to another machine which has any of the softwares mentioned above and analyze the traffic.

I’d recommend using Microsoft Network monitor software as the output format shown in the software is very clear. After the network monitor software is installed, goto tools –> options –> parser profiles, select windows option, click set as active, and click ok. Next goto file –> open –> capture option and browse the nettrace.etl file you generated earlier.

If you don’t have either of these tools installed, you can use the built-in netsh command to convert the etl file to a text-based format. To do this, type the following command and press Enter:

1

netsh trace convert input=nettrace.etl output=nettrace.txt

This will create a text file called nettrace.txt that contains the captured traffic.

Capturing HTTP Traffic

If you’re specifically interested in capturing HTTP traffic, you can use the netsh command with the http option. To do this, type the following command and press Enter:

1

netsh trace start capture=yes protocol=http

This will capture only HTTP traffic. You can then stop the capture and analyze the traffic as described above.

That’s it! With these simple steps, you can capture a network trace without installing any additional software.