Network trace without NetMon, WireShark, etc…
It is often necessary to capture and analyze some network traffic to troubleshoot a problem. Usually, it requires to install some software package similar to several stated in the subject to this article. It’s ok, when the computer in question is, say, your laptop, or its user is at least advanced user, has administrative permissions and it is permitted by a security policy to install some new software. But what if it is not the case? A user is some sales manager who don’t want to spend their time installing anything? Or this is a server, where you cannot change anything?
To cut a long story short, recently I’ve run into a totally awesome blogpost, where among other truly interesting things (the blog is in the top 5 of my most favorite, if not the most interesting, BTW) there was a solution for such a situation.
In short, you don’t have to install, say, Network Monitor onto a Windows7/2008 R2 box to get network capture. It can be done with the built-in tool, that is netsh. You still need
1) to be a local admin on the computer you are tracing
2) NetMon to analyze the package you receive after the capture is complete. But you can do it on any computer you wish.
How does it work? Just excellent ;)
1) Start the trace
netsh trace start capture=yes tracefile=<PathToFile>
2) Then reproduce the problem. I started my chrome (to much open tabs in IE ;) ) and went to www.microsoft.com.
3) Then stop the trace:
netsh trace stop
Please notice, that the trace created two files: .etl and .cab. The ETL one is where our network trace is placed. The second… It makes the method even more awesome, but I will dedicate the next blog post to it.
4) Open the trace on any computer where you have Network Monitor installed:
Oops… What’s with parsers? If we take a closer look at the interface we’ll see the following:
Process: Windows stub parser: Requires full Common parsers. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading these parser sets.
Well, some parsers are definitely not turned on. Let’s do it now, it’s easy (I have NetMon 3.4). Go to tools->options
Look at Parser Profiles tab:
and turn on the Windows profile by right clicking it and selecting Set As Active option:
That’s what we were looking for:
5) Now do all the NetMon stuff, for example I was looking for Chrome activity and, say, I need to look at DNS requests:
Isn’t that great? No, it is simply awesome, because we haven’t yet take a look at .cab file, which contains tons of useful info. But we’ll do it in the next article.