Netsh

Introduction

Netsh is a command-line scripting utility that allows you to display or modify the network configuration of a computer that is currently running. Netsh commands can be run by typing commands at the netsh shell and be used in batch files or scripts. Remote computers and the local computer can be configured by using netsh commands.

Installation

Requirements:

Functional computer running Windows

Syntax

netsh [-a AliasFile] [-c Context] [-r RemoteMachine] [-u [DomainName\]UserName] [-p Password | *] [Command | -f ScriptFile]

Usage

Network Trace

Open Command Prompt as Administrator

Execute the following command to start the network capture and output to file

netsh trace start capture=yes tracefile=pathtofile\icmp_trace.etl

Execute the following command to stop the network capture

netsh trace stop

Convert .etl to .pcapng

Download etl2pcapng from the official GitHub repository

Execute the following command to convert the .etl file to .pcapng format

etl2pcapng.exe in.etl out.pcapng

Viewing the PCAP

Use a packet analysis tool such as Wireshark

In Wireshark, look for the "Process ID" (PID) information in the packet details. This information is not part of the standard packet headers (like IP or TCP headers) but is provided by the ETW (Event Tracing for Windows) data included in the ETL file. When you load the converted PCAPNG file in Wireshark, you should be able to see additional metadata, including the PID associated with each packet.

Official Manual

https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts

References

https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts

PreviousAdvanced IP Scanner NextUtility Software

Last updated 1 year ago

hashtagIntroduction

hashtagInstallation

hashtagSyntax

hashtagUsage

hashtagNetwork Trace

hashtagConvert .etl to .pcapng

hashtagViewing the PCAP

hashtagOfficial Manual

hashtagReferences