Applies to:

Windows Server vNext

Windows 10

Windows Server 2012 R2

Windows 8.1

Windows Server 2012

Windows 8

Windows Server 2008 R2

Windows 7

Does not apply:

Windows Server 2008

Windows Vista

Windows Server 2003

Windows XP


Originally published Dec 2012.  Updated June 2015.


In Windows Server’s, if you wanted to capture network packets (for those coming from a Unix background, Packet sniffer or protocol analyzer, or TCPDump), you would have to install an add-on such as Network Monitor (Netmon) or Wireshark (used to be known as Ethereal).  In order to install these products, you would have to go thru a change control process.

Starting with Windows 7 and Windows Server 2008 R2, network capture has been built-in and native to the Windows O.S.

Step 1.  WARNING:  In Windows 7 and Windows Server 2008 R2, you could run into:

2582260 "0x0000000A" Stop error when you perform ETW tracing on the Afd.sys driver in Windows 7 or in Windows Server 2008 R2     

Please make sure to install the hotfix above before you proceed.

Step 2.  Before you capture any network trace, here are questions you should have ready when you are capturing it:

Network tracing (packet sniffing) data to provide when troubleshooting.

Step 3.  Minimize the noise.

Close all the applications that are unnecessary for the issue that you are investigating.

Step 4.  Clear any caching that has been done.

Clear all name resolution cache as well as all cached Kerberos tickets.

To clear DNS name cache you type in: IPConfig /FlushDNS

To clear NetBIOS name cache you type in: NBTStat -R

     Note:  This command requires you to be a “Local Aministrator” (i.e.  CMD ( Run as admin)).

To clear Kerberos tickets will need KList.exe: KList purge

Note:  Depending on what permissions the service or application has, you might have to open a Command Prompt (CMD.exe) using those permissions.  For example:  If the app or service uses the System account, you will need to use Sysinternals Psexec.

PSExec.exe -s -i cmd.exe

And then run the commands above in the new command prompt that opened to clear the cache(s).

i.e.  If you are troubleshooting Internet Explorer (IE), clear the IE cache.

Step 5.  Start, CMD (Run as admin)

Type “Netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=yes traceFile=C:\Logs\NetTrace.etl” without the quotation marks and then press Enter.

     Note:  Details of all the options are available in the links to more information.

     Note 2:  You always want to take network traces from both sides (sending and receiving).

Step 6.  Reproduce the issue.

Open a second CMD (Run as admin)

When you have the repro, to make the network trace with a ‘marker’ that you are done.

Type “ping” without the quotation marks and then press Enter.


Step 7.  To stop the network capture

Type “netsh trace stop” without the quotation marks and then press Enter.

Once you have the nettrace.etl file, you could copy it off the server to your Windows client.

In your Windows client, you would use Microsoft Network Monitor 3.4 to analyze the network packets.

In your Windows machine, you could use Microsoft Message Analyzer to analyze the network packets.

More information:

Scenarios Troubleshoots what type of related issues?
AddressAcquisition address acquisition
DirectAccess DirectAccess
FileSharing common file and printer sharing problems
InternetClient Diagnose web connectivity
InternetServer server-side web connectivity
L2SEC layer 2 authentication
LAN wired LAN
Layer2 layer 2 connectivity
NDIS network adapter
NetConnection network connections
RPC RPC framework
WCN Windows Connect Now
WFP-IPsec Windows Filtering Platform and IPsec
WLAN wireless LAN

Network Tracing in Windows 7

Network Tracing in Windows 7 (Windows)   
Netsh Commands for Trace   
Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7   
Event Tracing for Windows and Network Monitor   
Tool: Installing the Microsoft Message Analyzer version 1.3
How to setup a local network trace using “Start Local Trace” in Message Analyzer v1.3?
How to setup a local network trace on the LAN using Message Analyzer v1.3 UI?

For those administrators that want to learn more and their company has a Premier contract. There is a workshop available called “Netmon for Enterprise Troubleshooting”. Please contact your Technical Account Manager (T.A.M.) about availability in your neck of the woods.

Microsoft Services - Premier Support Proactive Services - Proactive Education