OS: Windows 2012 R2

For years, I used to get upset when I knew that a simple network trace would give me the answer to an issue only to find that netmon or an equivalent was not installed on the server. Well, with the later versions of Windows, the “netsh trace” command is there to help. Netsh is a very powerful command that I continue to turn to for help.

Just a few of the “netsh trace” options:
report: Creates an HTML report file that I found pretty useless. However, this also creates a CAB file that contains potentially a lot of useful information.
scenario: You can choose different scenarios. To determine the list of possible scenarios, you can look at the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetTrace\Scenarios]

Or you can do:
netsh trace show scenarios

I chose NetConnection, but I just wanted to capture the traffic.
persistent: If yes, the trace will restart when the server is rebooted. Would almost never want that on, which is the default.
maxsize: To specify the maximum size of the trace file. the default is 250MB.
correlation: The will try to group related packets together.
tracefile: The name and location of where you want the file(s) to be saved.

Start a trace:

C:\>netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=yes tracefile=trace.etl

Trace configuration:
——————————————————————-
Status: Running
Trace File: trace
Append: Off
Circular: On
Max Size: 1024 MB
Report: On

Stop a trace:

C:\>netsh trace stop
Correlating traces … done
Merging traces … done
Generating data collection and report … done
The trace file and additional troubleshooting information have been compiled as
“C:\trace.cab”.
Tracing session was successfully stopped.

If you open up the etl file using NetMon and see the following messages in the description:

MicrosoftWindowsTCPIP: Windows stub parser: Requires full Common parsers. See the “How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)” help topic for tips on loading these parser sets.

Then, you need to enable to Windows Parser under Parser Profiles in Network Monitor. In version 3.4, it is in the top right corner of the window. In the Options, you can set it to be the default parser profile.