How to Capture Traffic on Proxy using NetSh on Windows
Sometimes support might ask you to capture the traffic that passes through the proxy on the network level. This short article explains how to do that using built-in tools of Microsoft Windows.
Start the Capture
In order to start the capture, being on the server where Web Filtering Proxy is installed, open the command prompt as Administrator and run the following command (the command should be on one line).
netsh trace start capture=yes tracefile=.\%computername%.etl maxsize=1024 filemode=circular
The output of the command should indicate the successful start of the capture. Note that the capture runs in the background until you manually stop it.
c:\Users\Administrator.DILADELE\Downloads\tracing>netsh trace start capture=yes tracefile=.\WINPROXY-AD.etl maxsize=1024 filemode=circular Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\WINPROXY-AD.etl Append: Off Circular: On Max Size: 1024 MB Report: Off
Stop the Capture
Reproduce the problem you have and after that stop the capture by running the following command in the same Administrator command prompt.
netsh trace stop
Output of the command should indicate successful capture of network packets.
c:\Users\Administrator.DILADELE\Downloads\tracing>netsh trace stop Merging traces ... done Generating data collection ... done The trace file and additional troubleshooting information have been compiled as "c:\Users\Administrator.DILADELE\Downloads\tracing\WINPROXY-AD.cab". File location = c:\Users\Administrator.DILADELE\Downloads\tracing\WINPROXY-AD.etl Tracing session was successfully stopped.
Convert and Analyze
Send the two files (WINPROXY-AD.etl and WINPROXY-AD.cab in our case) to email@example.com for decoding and analysis. If you need to decode yourself, use the
etl2pcapng tool as shown in the references.
etl2pcapng.exe WINPROXY-AD.etl WINPROXY-AD.pcap IF: medium=eth ID=0 IfIndex=5 VlanID=0 Converted 7440 frames
Now the resulting file
WINPROXY-AD.pcap can be easily analyzed by using excellent Wireshark application.
Look for the following resources for more information.
- General introduction into the network captures using NetSh https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/converting-etl-files-to-pcap-files/ba-p/1133297
- GitHub repo for the conversion tool is https://github.com/microsoft/etl2pcapng