Discrepencies between packet capture with netsh and new-neteventsession RRS feed

  • Question

  • I'm trying to capture packets and grab Cisco CDP broadcasts on PCs so I can log the information if a PC moves locations.

    When I capture with netsh, I can open the ETL file in Microsoft Message Analyzer, I can drill down in the CDP packets and read the raw text just fine.

    When I do the same with new-neteventsession, those same packets have a truncated payload.

    I will show you the commands I'm using for the data.


    netsh trace start capture=YES traceFile=c:\temp\cdptrace.etl Ethernet.DestinationAddress=01-00-0c-cc-cc-cc 
    PING -n 1 -w 60000 >NUL
    netsh trace stop


    $tracefullpath = "c:\temp\cdptrace.etl"
    New-NetEventSession -Name "Capture" -CaptureMode SaveToFile -LocalFilePath $tracefullpath
    Add-NetEventPacketCaptureProvider -SessionName "Capture" -Level 5 -CaptureType Physical -LinkLayerAddress "01-00-0c-cc-cc-cc"
    Start-NetEventSession -Name "Capture"
    Start-Sleep -s 60
    Stop-NetEventSession -Name "Capture"
    Remove-NetEventSession -Name "Capture"

    With the netsh capture, the payload size in the CDP packet is 3784 bits, the same payload in powershell is 848 bits.

    The truncated packets from powershell are also flagged in Microsoft Message Analyzer

    Type: Validation

    Level: Warning

    Message: Ethernet: The LengthOrType in message Frame is not equal to the length of MacClientData.

    Also if in PowerShell I try to specify EtherType 0x2000, it skips the CDP packets all together. But when I capture normally, it does show the decoded packets are EtherType 0x2000.

    I would almost say there's a bug here, but I wanted to confirm with some others before I jump to that conclusion.

    • Edited by Stonent Monday, July 3, 2017 10:59 PM
    Monday, July 3, 2017 10:54 PM

All replies

  • Hi Stonent,

    >>With the netsh capture, the payload size in the CDP packet is 3784 bits, the same payload in powershell is 848 bits.

    sorry but we can't reproduce your issue.

    My suggestion is : try running these codes in powershell  console or ISE with noprofile to see if it helps.

    Here is the command: open cmd, typepowershell -NoProfile

    Besides, you could post a feedback on link below:

    Powershell User voice:


    Best regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 4, 2017 4:21 AM