Network Trace in Production: Windows netsh trace analyzer

In certain time we need to capture network trace to find out slowness or timeout issue. If this happens to be your production server then its more difficult. We came into same situation where we want to know how much time its taking for each connection or packet transfer.

For that we need to run below command in server where you want to trace network.

netsh trace start capture=yes tracefile=c:\net.etl persistent=yes ipv4.address == <ip_if_any>

OR complex one

netsh trace start capture=yes tracefile=c:\temp\capture.etl maxsize=512 filemode=circular overwrite=yes report=no correlation=no IPv4.SourceAddress=(192.168.1.55,192.168.1.5) IPv4.DestinationAddress=(192.168.1.55,192.168.1.5) Ethernet.Type=IPv4

then wait till you want to trace, then you can stop by below command

netsh trace stop

Then it will take sometime and create the file in the provided path( c:\net.etl). After this you can download the file to your local computer where you want to analyze. Now you need 2 software in your local computer,

1. Microsoft message analyzer
2. Wireshark

To install Microsoft Message Analyzer(discontinued by microsoft) follow below link

https://web.archive.org/web/20191104120853/https://download.microsoft.com/download/2/8/3/283DE38A-5164-49DB-9883-9D1CC432174D/MessageAnalyzer64.msi

Then to install Wireshark follow below link

https://www.wireshark.org/download.html

After that you need to convert netsh traces(.etl) to wireshark readable format(.cap). For that open Microsoft message analyzer. For that you can follow this awesome link https://rbwilson.ca/working-with-netsh-traces-captures

Then save as or export by following the screen shots

After this now you will have .cap file which can be imported to wireshark. Open Wireshark then click on File then click on Open and select respected .cap file. It will open like below.

First thing you will notice is this doesn’t look like a normal packet capture. The reason for this is there are additional NetMon_Events that can be filtered out to get the data we are really after. To do this add the following filter to WireShark:

!netmon_event

But now when you want to write specific you can write as follows or anything.

(ip.addr eq 10.200.40.7 and ip.addr eq 177.189.114.501)and (tcp.port eq 55309 and tcp.port eq 443 and tcp.port eq 55313)

Cheers!!!

Originally published on https://theleadcoder.wordpress.com/2020/07/17/network-trace-in-production-windows-netsh-trace-analyzer/

Originally published at http://theleadcoder.wordpress.com on July 16, 2020.