Packet Analysis

Native Packet Capture in Windows 8

3 min read

There was a time when saying something like “native packet capture in Windows” would get you laughed out of a karaoke bar full of IT geeks. We’ll let that sentence settle in for a second… then tell you that yes, indeed, Windows 8 includes native packet capture, and you can easily integrate it with CloudShark!

This feature can be found using the netsh command. Included among a host of other network tools associated with the command is the trace argument, which can be used to begin and end an network trace. Normally this produces a trace of network log events, but can be turned into packet capture by including the capture=yes argument.

From the command line, this would look like:

netsh trace start capture=yes traceFile=C:\Users\$env:username\Desktop\trace.etl

You can also include the maxSize argument to ensure that the trace file does not exceed a given limit (in MB).

This is all well and good for performing the capture, but unfortunately .etl is a proprietary format for Windows traces, and includes much more data than just the packet captures. Luckily, the Microsoft Message Analyzer package includes a series of cmdlets that lets you convert .etl to .cap. We’ve verified that the cmdlets necessary appear in Windows 8 when you install the Message Analyzer package, and have done up a simple example PowerShell script that lets you start a capture, convert it to .cap, and upload to CloudShark all in one fell swoop:

# CloudShark PowerShell Demo Script
# Free to distribute; Send us improvements and we'll credit and post!
# To use this script you must:
# (1) be in an Admin PowerShell
# (2) you must allow unsigned scripts: run
#     Set-ExecutionPolicy RemoteSigned
# (3) You must have Message Analyzer installed
# (Restart the Admin PowerShell after installing Message Analyzer
#     to load the New-PefTraceSession cmdlets)

# Set this to your CloudShark host
$cloudshark="edge.lan"
# Set this to your CloudShark upload API token
$tok="4fc5d18f2ae74f2c3b75f1879d343d00"

# Size of the capture file, in megabytes.
$maxsize=1

# Clean up any previous session data
If (Test-Path "C:\Users\$env:username\Desktop\OutFile.Cap"){
	Remove-Item "C:\Users\$env:username\Desktop\OutFile.Cap"
}

If (Test-Path "C:\Users\$env:username\Desktop\trace.etl"){
	Remove-Item "C:\Users\$env:username\Desktop\trace.etl"
}
netsh trace stop

# Start a new capture
netsh trace start capture=yes traceFile="C:\Users\$env:username\Desktop\trace.etl" maxSize=$maxsize

$s = New-PefTraceSession -Path "C:\Users\$env:username\Desktop\OutFile.Cap" -SaveOnStop
$s | Add-PefMessageProvider -Provider "C:\Users\$env:username\AppData\Local\Temp\NetTraces\NetTrace.etl"
$s | Start-PefTraceSession

Invoke-RestMethod -uri "http://$cloudshark/api/v1/$tok/upload" -method PUT -inFile "C:\Users\$env:username\Desktop\OutFile.Cap"

As you can see, the collection of PefTraceSession cmdlets lets you convert the etl file into a capture file. We use the maxSize argument to automatically stop the capture. After the file is converted, we use Windows’ Invoke-RestMethod commands to upload to a designated CloudShark Appliance using a specified API key. You could add more features to this script (like automatic tags) by playing around with this script and the CloudShark Upload API.

These additional cmdlets will only work in Windows 8 or Server 2008.

That’s all there is to it! Feel free to give this a try and never hesitate to let us know if it works for you!

Get articles like this in your inbox: