Partilhar via


Network tracing (packet sniffing) built-in to Windows and Windows Server.

 

Applies to:

Windows Server 2016

Windows 10

Windows Server 2012 R2

Windows 8.1

Windows Server 2012

Windows 8

Windows Server 2008 R2

Windows 7

Does not apply:

Windows Server 2008

Windows Vista

Windows Server 2003

Windows XP

 

Originally published Dec 2012.  Updated June 2015 and Nov. 2016.

 

In Windows Server’s, if you wanted to capture network packets (for those coming from a Unix background, Packet sniffer or protocol analyzer, or TCPDump), you would have to install an add-on such as Network Monitor (Netmon) or Wireshark (used to be known as Ethereal).  In order to install these products, you would have to go thru a change control process.

Starting with Windows 7 and Windows Server 2008 R2, network capture has been built-in and native to the Windows O.S.

Step 1.  WARNING:  In Windows 7 and Windows Server 2008 R2, you could run into:

2582260 "0x0000000A" Stop error when you perform ETW tracing on the Afd.sys driver in Windows 7 or in Windows Server 2008 R2    

Please make sure to install the hotfix above before you proceed.

Step 2.  Before you capture any network trace, here are questions you should have ready when you are capturing it:

Network tracing (packet sniffing) data to provide when troubleshooting.

Step 3.  Minimize the noise.

Close all the applications that are unnecessary for the issue that you are investigating.

Step 4.  Clear any caching that has been done.

Clear all name resolution cache as well as all cached Kerberos tickets.

To clear DNS name cache you type in: IPConfig /FlushDNS

To clear NetBIOS name cache you type in: NBTStat -R

     Note:  This command requires you to be a “Local Aministrator” (i.e.  CMD ( Run as admin)).

To clear Kerberos tickets will need KList.exe: KList purge

Note:  Depending on what permissions the service or application has, you might have to open a Command Prompt (CMD.exe) using those permissions.  For example:  If the app or service uses the System account, you will need to use Sysinternals Psexec.

PSExec.exe -s -i cmd.exe

And then run the commands above in the new command prompt that opened to clear the cache(s).

i.e.  If you are troubleshooting Internet Explorer (IE), clear the IE cache.

Step 5.  Start, CMD (Run as admin)

Type “Netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=yes traceFile=C:\Logs\NetTrace.etl” without the quotation marks and then press Enter.

     Note:  Details of all the options are available in the links to more information.

     Note 2:  You always want to take network traces from both sides (sending and receiving).

Step 6.  Reproduce the issue.

Open a second CMD (Run as admin)

When you have the repro, to make the network trace with a ‘marker’ that you are done.

Type “ping 127.0.0.1” without the quotation marks and then press Enter.

 

Step 7.  To stop the network capture

Type “netsh trace stop” without the quotation marks and then press Enter.

Once you have the nettrace.etl file, you could copy it off the server to your Windows client.

In your Windows client, you would use Microsoft Network Monitor 3.4 to analyze the network packets.

In your Windows machine, you could use Microsoft Message Analyzer to analyze the network packets.

More information:

Windows 7 and Windows Server 2008 R2 Scenarios Troubleshoots what type of related issues?
AddressAcquisition address acquisition
DirectAccess DirectAccess
FileSharing common file and printer sharing problems
InternetClient Diagnose web connectivity
InternetServer server-side web connectivity
L2SEC layer 2 authentication
LAN wired LAN
Layer2 layer 2 connectivity
NDIS network adapter
NetConnection network connections
RPC RPC framework
WCN Windows Connect Now
WFP-IPsec Windows Filtering Platform and IPsec
WLAN wireless LAN

 

Hyper-V 2012 R2 core Scenarios Troubleshoots what type of related issues?
AddressAcquisition address acquisition
InternetServer server-side web connectivity
NDIS network adapter
Virtualization network connectivity issues in virtualization environment

 

Windows 10 and Windows Server 2016 Scenarios Troubleshoots what type of related issues?
AddressAcquisition address acquisition
DirectAccess Direct Access 
FileSharing common file and printer sharing
InternetClient Diagnose web connectivity
InternetServer Set of HTTP service counters
L2SEC layer2 authentication
LAN wired LAN 
Layer2 layer2 connectivity
MBN mobile broadband
NDIS network adapter
NetConnection network connections
NetworkSnapshot current network state of the system
P2P-Grouping Peer-to-Peer Grouping
P2P-PNRP Peer Name Resolution Protocol(PNRP)
RemoteAssistance Windows Remote Assistance
Virtualization network connectivity in virtualization environment
WCN Windows ConnectNow
WFP-IPsec Windows Filtering Platform and IPsec
WLAN wireless LAN
XboxMultiplayer Xbox Live Multiplayerc onnectivity

 

Network Tracing in Windows 7

Network Tracing in Windows 7 (Windows)   
Netsh Commands for Trace   
Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7   
Event Tracing for Windows and Network Monitor   
Tool: Installing the Microsoft Message Analyzer version 1.3
How to setup a local network trace using “Start Local Trace” in Message Analyzer v1.3?
How to setup a local network trace on the LAN using Message Analyzer v1.3 UI?

For those administrators that want to learn more and their company has a Premier contract. There is a workshop available called “Netmon for Enterprise Troubleshooting”. Please contact your Technical Account Manager (T.A.M.) about availability in your neck of the woods.

Microsoft Services - Premier Support Proactive Services - Proactive Education

Comments

  • Anonymous
    January 01, 2003
    This sounds great. Yet, only three scenarios on my Windows 2012 Server Core Hyper-V machine (more likely due to the nature of the installation):
  • AddressAcquisitionServer
  • InternetServer
  • NDIS Quick question: if we were to use PowerShell scripts instead of netsh commands, where would you suggest to start (eventually, which WMI objects) ? Thanks, Didier
  • Anonymous
    January 01, 2003
    This is good. I already use this tool and some troubles were resolved.

    • Anonymous
      December 28, 2018
      How can I read the results? I'm specifically looking to trace an API call from a server and the corresponding response for that API call.
  • Anonymous
    September 16, 2014
      Applies to: Windows Server 2012 R2 Windows 8.1 Windows Server 2012 Windows 8 Windows Server 2008

  • Anonymous
    December 07, 2014
      This post contains the references and methodology I use when troubleshooting SQL Kerberos issues

  • Anonymous
    May 23, 2015
    ARCHIVED as of May 2015.  Instead look at Tool: Installing the Microsoft Message Analyzer version

  • Anonymous
    May 23, 2015
    Applies to: Windows Server 2012 Windows 8 Windows Server 2008 R2 Windows 7   First published Dec

  • Anonymous
    May 27, 2015
    Applies to: Windows 10 Windows Server 2012 R2 Windows 8.1 Windows Server 2012 Windows 8 Windows Server

  • Anonymous
    August 04, 2015
    Applies to: Windows 10   Starting with Windows 10, the “Windows Performance Recorder” (WPR.exe)

  • Anonymous
    August 04, 2015
    Applies to: Windows 10 Windows Server 2012 R2 Windows 7 Windows Server 2012 Windows 8 Windows Server

  • Anonymous
    September 21, 2017
    This post contains the references and methodology I use when troubleshooting SQL Kerberos issues