Network tracing (packet sniffing) built-in to Windows Server 2008 R2 and Windows Server 2012.

Network tracing (packet sniffing) built-in to Windows Server 2008 R2 and Windows Server 2012.

  • Comments 2
  • Likes

 

Applies to:

Windows Server 2012

Windows 8

Windows Server 2008 R2

Windows 7

 

In Windows Server’s, if you wanted to capture network packets (for those coming from a Unix background, Packet sniffer or protocol analyzer, or TCPDump), you would have to install an add-on such as Network Monitor (Netmon) or Wireshark (used to be known as Ethereal).  In order to install these products, you would have to go thru a change control process.

Starting with Windows 7 and Windows Server 2008 R2, network capture has been built-in and native to the Windows O.S.

WARNING:  In Windows 7 and Windows Server 2008 R2, you could run into:

2582260 "0x0000000A" Stop error when you perform ETW tracing on the Afd.sys driver in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/?id=2582260

Please make sure to install the hotfix above before you proceed.

Start, CMD (Run as admin)

Type “Netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=yes traceFile=C:\Logs\NetTrace.etl” without the quotation marks and then press Enter.

     Note:  Details of all the options are available in the links to more information.

     Note 2:  You always want to take network traces from both sides (sending and receiving).

Reproduce the issue.

Open a second CMD (Run as admin)

When you have the repro, to make the network trace with a ‘marker’ that you are done.

Type “ping 127.0.0.1” without the quotation marks and then press Enter.

To stop the network capture

Type “netsh trace stop” without the quotation marks and then press Enter.

Once you have the nettrace.etl file, you could copy it off the server to your Windows client.

In your Windows client, you would use Microsoft Network Monitor 3.4 to analyze the network packets.

More information:

Scenarios Troubleshoots what type of related issues?
AddressAcquisition address acquisition
DirectAccess DirectAccess
FileSharing common file and printer sharing problems
InternetClient Diagnose web connectivity
InternetServer server-side web connectivity
L2SEC layer 2 authentication
LAN wired LAN
Layer2 layer 2 connectivity
NDIS network adapter
NetConnection network connections
RPC RPC framework
WCN Windows Connect Now
WFP-IPsec Windows Filtering Platform and IPsec
WLAN wireless LAN

Network Tracing in Windows 7
http://technet.microsoft.com/en-us/library/ee918726(v=ws.10).aspx

Network Tracing in Windows 7 (Windows)
http://msdn.microsoft.com/en-us/library/windows/desktop/dd569136(v=vs.85).aspx

Netsh Commands for Trace
http://technet.microsoft.com/en-us/library/dd878498(v=WS.10).aspx

Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/library/dd878517(v=WS.10).aspx

Event Tracing for Windows and Network Monitor
http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx

For those administrators that want to learn more and their company has a Premier contract. There is a workshop available called “Netmon for Enterprise Troubleshooting”. Please contact your Technical Account Manager (T.A.M.) about availability in your neck of the woods.

Microsoft Services - Premier Support Proactive Services - Proactive Education

Comments
  • This is good.

    I already use this tool and some troubles were resolved.

  • This sounds great.

    Yet, only three scenarios on my Windows 2012 Server Core Hyper-V machine (more likely due to the nature of the installation):

    - AddressAcquisitionServer

    - InternetServer

    - NDIS

    Quick question: if we were to use PowerShell scripts instead of netsh commands, where would you suggest to start (eventually, which WMI objects) ?

    Thanks,

    Didier

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment