Windows Server contains a built-in packet capture tool through the netsh utility. As it is included with the OS, it can be preferable to other packet sniffing/capturing tools such as Wireshark or NetMon. One particularly useful feature of netsh trace is the ability to capture packets during startup.
To start a packet capture with netsh trace, first launch an administrative command prompt window. Then enter the following command:
netsh trace start capture=yes
The packet capture will begin. To stop the packet capture, use the following command:
netsh trace stop
After the capture is stopped, netsh will output two files (NetTrace.cab and NetTrace.etl) in the current user's %temp% folder.
Note that starting a packet capture will "bounce" (reset) all active connections! If run on a Mobility server, all client connections will be terminated with disconnect reason 69: "The client session no longer exists on the server". Clients will reconnect within seconds, but session persistence is disrupted.
Other useful netsh trace Options
To specify a source or destination address (much like a capture filter in Wireshark), use the IPv4.Address=x.x.x.x switch, like in the following example:
netsh trace start capture=yes IPv4.Address=192.168.0.1
Capturing packets during startup can be done with the persistent=yes switch. When persistent=yes is specified, the capture runs even after a reboot and is only stopped with netsh trace stop.
netsh trace start capture=yes persistent=yes
By default the maximum capture size is 250MB, and after the max size is reached, netsh trace will overwrite the capture starting at the beginning (circular). To specify a larger maximum capture size, use the maxSize=xxxx flag. The size is specified in MB. The following example sets a max size of 2048MB:
netsh trace start capture=yes maxSize=2048
Multiple flags can be freely used together to configure a trace that suits the troubleshooting scenario. For a full description of netsh trace features and options, refer to Microsoft's documentation.
Working with .etl files
After a trace is completed, the captured packets will be contained in the resulting .etl file. The .etl file can be opened with Microsoft Message Analyzer, or converted with a utility such as etl2pcapng for viewing in another program such as Wireshark.
NetMon 3.4 can view .etl capture files directly as well. In order to do so, you must first enable the Windows parser profile by opening the .etl file in NetMon, then going to Tools -> Options -> Parser Profiles, then right clicking the "Windows" profile and choosing "Set As Active".