question

DaveC-2278 avatar image
1 Vote"
DaveC-2278 asked CandyLuo-MSFT commented

NETSH TRACE packet capture ONLY

I'd like to know if it's ever been considered to add an option to NETSH TRACE CAPTURE=YES which prevents the utility from gathering additional data (and creating cabinet files)?

In other words - how about an option to only get a network capture?

Thanks,
DaveC



windows-serverwindows-10-network
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

0 Votes 0 ·

Please try to mark the replies which help you. It will encourage the person who help you.
Appreciate your understanding. :)


0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi ,

Use following netsh command, it can only generate ETL.file: netsh trace start capture=yes persistent=yes tracefile=c:\nettrace.etl maxsize=2048 overwrite=yes report=disabled

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
1 Vote"
GaryNebbett answered CandyLuo-MSFT commented

Hello @DaveC-2278,

I guess that you might have already tried Candy's suggestion ("report=disabled") and found that it did not work. It is a few years since I last looked, but when I investigated this behaviour it seemed as though "report=disabled" was ignored if the user was a member of the Administrators group.

At that time, I switched to using PowerShell to capture packets - the Add-NetEventPacketCaptureProvider uses exactly the same capture mechanism as "netsh trace" (i.e. ndiscap.sys) but without the wasteful report generation.

There is now a new packet capture mechanism available from the command line (in newer versions of Windows 10 - since 1809, I think) - namely PktMon. This can do everything (and more) that ndiscap.sys does and I have now switched to using it.

Gary

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Apologies to @CandyLuo-MSFT,

I just tried "report=disabled" and it did indeed work (Windows 10, 21H1). I should have tested it (again) before posting - sorry.

Gary

0 Votes 0 ·

Never mind! We are all wanting to help costumers.

0 Votes 0 ·
DaveC-2278 avatar image
0 Votes"
DaveC-2278 answered CandyLuo-MSFT commented

Apologies @CandyLuo-MSFT and @GaryNebbett for my delay.

I wish I could accept BOTH of these answers, because they are both very helpful :)

We successfully tested both NETSH (with 'report=disabled' switch) AND pktmon. Seems like PKTMON is the way forward :)

Thank you both very much.

-DaveC

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are pleased to know that the information is helpful to you. Have a nice day! :)

0 Votes 0 ·
DaveC-2278 avatar image
0 Votes"
DaveC-2278 answered CandyLuo-MSFT commented

Thank you @CandyLuo-MSFT and @GaryNebbett for these suggestions. I'll review and follow up.

-DaveC

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We will wait for your new updates.

0 Votes 0 ·