locked
netsh trace Win7 not capturing network packets RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I've got a problem with netsh trace

    On my laptop at home (Win7 64bit) it works as I would expect using:

    start capture=yes tracefile=c:\scratch\trace1.etl

    stop trace

    ETL file is created and can be opened in message analyzer. I can see all the IP traffic. 

    However I've tried on a few Windows 7 32bit PCs at work the result is different. I start the trace and I can see the ETL file growing but when I stop the trace during the "Correlating traces ..." stage the ETL file shrinks to around 512kb and the when I open it in MA it only contains kernal trace type messages no IP packets. Sorry don't have the exact message, I will check again tomorrow. 

    I'm not sure if this related to how the PCs are locked down or something? I am running netsh in an elevated command window. I've search all over the web but can't find anyone with a similar problem.

    Funny thing is, If I start a live trace in MA it captures correctly.

    Cheers,

    Rhys

    --
    http://blog.rhysgoodwin.com

    Wednesday, July 8, 2015 8:09 AM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Rhys,

    I suppose we should stop when the Correlating traces is done.

    To capture IP packets, we could use Network Monitor. It is better to capture and analyze network packets.

    Here is the guide for Network Monitor:
    Network Monitor:
    https://technet.microsoft.com/en-us/library/cc938655.aspx?f=255&MSPPError=-2147217396

    Besides, since the OS is Windows 7, we could post in the forum of Windows 7 for better help.

    Here is the link for the forum:
    https://social.technet.microsoft.com/Forums/windows/EN-US/home?category=w7itproBest Regards,

    Leo

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Leo Han Tuesday, July 21, 2015 5:49 AM
    • Marked as answer by Leo Han Wednesday, July 22, 2015 7:38 AM
    Thursday, July 9, 2015 5:22 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Leo,

    I am aware of Network Monitor (and of course wireshark) however I don't want to install an application everytime I want to capture packets for troubleshooting. That is the point of using netsh trace.

    I posted in this forum because this is a more indepth network issue and I thought I might get more response from networking people than windows desktop people. Afterall netsh is common to servers and desktops. However If you still belive it would be better under the Win7 forum can you please move the thread.

    Attached is an image of what is contained in the trace.

    Cheers,

    Rhys



    Thursday, July 9, 2015 8:17 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Rhys,

    >>when I stop the trace during the "Correlating traces ..."

    From my test, "Correlating traces ..." is shown after entering netsh trace stop. We should not close the Command Prompt window before "Tracing session was successfully stopped". It may cause unexpected results.

    Besides, the Netsh trace context contains predefined sets of trace providers, known as scenarios. Make a check on client.

    Here is the guide for the command:
    Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7:
    https://technet.microsoft.com/en-us/library/dd878517(v=ws.10).aspx#bkmk_TraceUsingTrace

    Best Regards,

    Leo

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, July 10, 2015 2:34 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Leo.

    Sorry I wasn't clear. I'm not closing the window or interrupting the process in anyway. When I stop the trace e.g. netsh trace stop

    The process completes. However during the "Correlating traces" stage I can see the ETL file shrinking. 

    I have tried various scenario settings including LAN and NDIS but this hasn't helped. 

    Thanks for the link but I do know how to use netsh trace I have used it successfully on Windows 7 and Windows 2008 R2 in the past. 

    However there is something about the configuration on these workstations that is preventing it from working this thread is about trying to troubleshoot that situation. 

    Sunday, July 12, 2015 12:25 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Rhys,

    I'm not familiar with Windows 7. Since it works on 64bit version, I'm not sure if there is any difference between 64bit and 32bit. We may post in the Windows 7 forum for more information.

    Best Regards,

    Leo

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 14, 2015 6:40 AM