29 comments

[ 3.4 ms ] story [ 79.9 ms ] thread
An even cheaper and simpler option is to run Netstat -a >> c:\netstat.txt and analyze the text file.
It looks like you get far more information from the netsh method than you do with a Netstat, though.
not even close, sorry.
netstat -a only shows (open) connections. With netsh you can capture the actual traffic and later analyze the content of the communication.
Comparing a packet capture with the output of netstat is like comparing an x-ray image of your brain with your latest selfie.
I think the key insight here is the availability of Message Analyzer app -- I haven't used it but that's a good alternative that's supported than the hoops you sometimes have to join to run Wireshark.
Look at it closely. It's neat, but it is different from the frame-oriented approach of Wireshark / Network Monitor. It's great, but... different.
Yes and frustratingly they have deprecated Network Mon at version 3.4 in favour of Message Analyser, so grab a copy while you still can.
Yeah, I'd still prefer Wireshark but this is useful to know about for a variety of situations where it'd perhaps be worthwhile to see something.. if only Microsoft just exported to pcap :P
Microsoft Message Analyzer can do the translation for you.
(comment deleted)
Hey it works!, great now I have an alternative to Wireshark.
Tried running a capture while downloading a large file in Firefox and the download failed when I started the capture.

Wouldn't recommend running this on a server.

(comment deleted)
Were you the host or the client in this download?
Hey, not sure what happened there but I've used this for years on hundreds of different systems and never had that issue. Not even once as far as I can remember.

I thoroughly recommend it, but if you don't like it and can install Network Monitor, you can use NMCap which is also a command line tool.

very interesting, had no idea the capability was there. Tried on my own, I see SSID beacons from my wifi card, wifi channel signal levels, then you can go up several layers and see request URI's on HTTP requests.. very nice. More detail, in a parsed format which is filterable than I would have expected..

edit: indeed, it even handles parsing SSH key exchanges.. very impressive: http://imgur.com/ijQX3Zq

So basically they rebuilt Wireshark? I don't understand why they didn't make it write pcaps and use existing software to analyze it. Perhaps they could even contribute to Wireshark's analyzing capabilities of Microsoft protocols.
This is missing one of the most useful features of using netsh for this: boot time captures.

By using the "persistent=yes" argument one can cause the capture to keep running through a reboot. This is incredibly useful when trying to troubleshoot something that happens before login. This was very, very difficult before without a tap, span port, etc.

I wrote a small article about doing this a few years back, for anyone who is interested: https://nuxx.net/blog/2010/08/17/network-capture-during-boot...

Also, if you'd like to get these in a format that can be read using Wireshark, Microsoft Message Analyzer (mentioned in the original article) can export in .cap format. Or if you want to stick with Microsoft tools just open the ETL in Network Monitor and use it for more traditional frame-oriented capture analysis.

But if you install Wireshark does it capture traffic on the LAN (ie that doesn't begin or end with the current PC). I never had any luck with that on Windows.
Not unless (a) your PC is routing traffic or (b) your PC is connected to a hub vs. a switch [1].

Unless one of these things is happening (even if your card is in promiscuous mode), those packets won't make it into your machine.

[1] http://www.webopedia.com/DidYouKnow/Hardware_Software/router...

A wired LAN these days pretty much imply an ethernet switch, ethernet switches doesn't send you any frames that should go to another device if it knows which port that device is plugged into. You can't sniff traffic that doesn't reach your computer - so this isn't related to using Windows or Wireshark.

Most managed ethernet switches have a span/mirror port though, where you can mirror all traffic to all ports out on a single port, so you can plug into that port to capture your LAN traffic.

I wonder why they chose to write their own packet analyzer while so much work has been put into Wireshark's one. Why not use existing software?
Wireshark is brilliant and my favourite tool for my day to day work (Networking Support), but both Network Monitor and Message Analyzer are different takes on the same problem.

Both Microsoft offerings can read not just cap/pcap files but ETL that could include stack tracing, so you might be able to follow a package through the computer's networking stack.

Also Message Analyzer has more advanced parsers and shows the information in a different way than Wireshark. I guess that's one of the reasons why I can happily load a 3GB cap file in Wireshark, but I would avoid doing that in Message Analyzer :)

Does anyone know if this captures loopback traffic? Wireshark wont do that out of the box, you need a separate utility.
Where can you hang out to find out about all the cool Windows stuff? I've been using Windows forever. Oftentimes you feel like certain things are so so much harder than on a UNIXy system and then BAM it's actually simple but nobody seems to talk about it. Seems like Windows has a big discoverability problem with dev/admin tools.
There are many Windows tip-centric websites. Otherwise, just start digging thru \windows and \windows\system32 and check out the sysinternals and resource kits etc.