This is missing one of the most useful features of using netsh for this: boot time captures.
By using the "persistent=yes" argument one can cause the capture to keep running through a reboot. This is incredibly useful when trying to troubleshoot something that happens before login. This was very, very difficult before without a tap, span port, etc.
Also, if you'd like to get these in a format that can be read using Wireshark, Microsoft Message Analyzer (mentioned in the original article) can export in .cap format. Or if you want to stick with Microsoft tools just open the ETL in Network Monitor and use it for more traditional frame-oriented capture analysis.
very interesting, had no idea the capability was there.
Tried on my own, I see SSID beacons from my wifi card, wifi channel signal levels, then you can go up several layers and see request URI's on HTTP requests.. very nice. More detail, in a parsed format which is filterable than I would have expected..
edit: indeed, it even handles parsing SSH key exchanges.. very impressive: http://imgur.com/ijQX3Zq
So basically they rebuilt Wireshark? I don't understand why they didn't make it write pcaps and use existing software to analyze it. Perhaps they could even contribute to Wireshark's analyzing capabilities of Microsoft protocols.
Where can you hang out to find out about all the cool Windows stuff?
I've been using Windows forever. Oftentimes you feel like certain things are so so much harder than on a UNIXy system and then BAM it's actually simple but nobody seems to talk about it.
Seems like Windows has a big discoverability problem with dev/admin tools.
There are many Windows tip-centric websites. Otherwise, just start digging thru \windows and \windows\system32 and check out the sysinternals and resource kits etc.
I think the key insight here is the availability of Message Analyzer app -- I haven't used it but that's a good alternative that's supported than the hoops you sometimes have to join to run Wireshark.
Yeah, I'd still prefer Wireshark but this is useful to know about for a variety of situations where it'd perhaps be worthwhile to see something.. if only Microsoft just exported to pcap :P
Wireshark is brilliant and my favourite tool for my day to day work (Networking Support), but both Network Monitor and Message Analyzer are different takes on the same problem.
Both Microsoft offerings can read not just cap/pcap files but ETL that could include stack tracing, so you might be able to follow a package through the computer's networking stack.
Also Message Analyzer has more advanced parsers and shows the information in a different way than Wireshark. I guess that's one of the reasons why I can happily load a 3GB cap file in Wireshark, but I would avoid doing that in Message Analyzer :)
Hey, not sure what happened there but I've used this for years on hundreds of different systems and never had that issue. Not even once as far as I can remember.
I thoroughly recommend it, but if you don't like it and can install Network Monitor, you can use NMCap which is also a command line tool.
But if you install Wireshark does it capture traffic on the LAN (ie that doesn't begin or end with the current PC). I never had any luck with that on Windows.
A wired LAN these days pretty much imply an ethernet switch, ethernet switches doesn't send you any frames that should go to another device if it knows which port that device is plugged into. You can't sniff traffic that doesn't reach your computer - so this isn't related to using Windows or Wireshark.
Most managed ethernet switches have a span/mirror port though, where you can mirror all traffic to all ports out on a single port, so you can plug into that port to capture your LAN traffic.
Wireless cards can be put in promiscuous mode, and you'll see the packets that reach your computer, but maybe not all the traffic of the wireless network - this is known as the hidden node problem[1].
By using the "persistent=yes" argument one can cause the capture to keep running through a reboot. This is incredibly useful when trying to troubleshoot something that happens before login. This was very, very difficult before without a tap, span port, etc.
I wrote a small article about doing this a few years back, for anyone who is interested: https://nuxx.net/blog/2010/08/17/network-capture-during-boot...
Also, if you'd like to get these in a format that can be read using Wireshark, Microsoft Message Analyzer (mentioned in the original article) can export in .cap format. Or if you want to stick with Microsoft tools just open the ETL in Network Monitor and use it for more traditional frame-oriented capture analysis.