Capture network packets in Windows and visualize in Wireshark

From Luniwiki
Jump to: navigation, search

Capture packets natively from Windows

When having trouble installing Wireshark, Microsoft’s built in packet capture command netsh can be used.

Display Windows capture interfaces

>netsh trace show interfaces
Wireless LAN adapter Wi-Fi:
   Description:     Dell Wireless 1560 802.11ac
   Interface GUID:  {85001906-73BC-4911-A36C-5431E7DF030E}
   Interface Index: 19
   Interface Luid:  0x47008000000000

Start capturing packets

>netsh trace show status
There is no trace session currently in progress

We launch packets capture. 

>netsh trace start capture=yes CaptureInterface="Wi-Fi" tracefile=wificap.etl


Trace configuration:
-------------------------------------------------------------------
Status:             Running
Trace File:         C:\Development\work\wificap.etl
Append:             Off
Circular:           On
Max Size:           512 MB
Report:             Off

Once finished, we stop the capture 

>netsh trace stop
Merging traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as "C:\Development\work\wificap.cab".
File location = C:\Development\work\wificap.etl
Tracing session was successfully stopped.

Convert etl file to pcap file

In Microsoft GitHub, there is a tool to transform etl files to pcap file (usable by WireShark)

Download etl2pcapng

Download etl2pcapng from GitHub https://github.com/microsoft/etl2pcapng/releases 

# wget -q https://github.com/microsoft/etl2pcapng/releases/download/1.5.0/etl2pcapng.zip
# unzip etl2pcapng.zip
Archive:  etl2pcapng.zip
   creating: etl2pcapng/
   creating: etl2pcapng/x64/
  inflating: etl2pcapng/x64/etl2pcapng.exe
  inflating: etl2pcapng/x64/etl2pcapng.pdb
   creating: etl2pcapng/x86/
  inflating: etl2pcapng/x86/etl2pcapng.exe
  inflating: etl2pcapng/x86/etl2pcapng.pdb

Convert etl file to pcap

>etl2pcapng\etl2pcapng\x64\etl2pcapng.exe
etl2pcapng <infile> <outfile>
Converts a packet capture from etl to pcapng format.

>etl2pcapng\etl2pcapng\x64\etl2pcapng.exe wificap.etl wificap.cap
IF: medium=wifi ID=0    IfIndex=19
Converted 2161 frames

View the file in WireShark

Wireshark etl2pcap.png

References

Retrieved from "https://wiki.luniel.com/mediawiki/index.php?title=Capture_network_packets_in_Windows_and_visualize_in_Wireshark&oldid=7786"