Enabling Windows network tracing with the “netsh trace” commands

I recently needed to monitor the TCP/IP network traffic of a Windows computer, and so far, I've usually reverted to using Wireshark or Windows' own Network Monitor for the task. But I learned recently that you can also capture network traffic on a Windows machine (Windows 7 or Windows Server 2008 R2 or later) directly without adding new software to the computer. This is part of what is called the Network Diagnostic Framework (NDF).

Enabling built-in network tracing on Windows 7 or later is done though the very versatile netsh command. In the "netsh trace" context, there are multiple commands to specify settings, and start and stop traces. Trace output is stored in files, and can be analyzed with different tools or converted to, say, a text file for analysis on the spot.

For example, to enable TCP/IP Internet connectivity related event collection, run the following command:

netsh trace start scenario=InternetClient capture=yes

The "netsh trace" functionality divides different low-level data collection filters into what is called scenarios. Scenarios address common monitoring needs, and enable multiple capture filters as a group. This makes your life easier, and if need be, you can still enable and disable individual filters one by one.

Hope this helps!