Generating a network trace capture and analyzing with Microsoft Network Monitor

An ex-colleague recently reached out to me for assistance on how he could perform a network trace and analyze it for a particular Citrix Virtual Apps and Desktop environment and the most common tool I usually recommend is Wireshark. The challenge he had was that the Wireshark installation would error out during the NCAP install so attempting to use that tool was not a viable option.

My ex-colleague’s challenge lead me to remember another method I had used in the past (probably more than 5 years ago) where we could use the native netsh trace command to capture an ETL file without requiring any software installation and after successfully testing the process, I thought I’d write a blog post to demonstrate it.

Creating a network trace capture file on the virtual desktop

1. On the VDI, launch the command prompt in administrator mode and start a trace with the following command:

netsh trace start capture=yes tracefile=c:net.etl persistent=yes maxsize=4096

25

2. Replicate issue, note the time stamp, and stop trace with the following command:

netsh trace stop

24

Analyzing the network trace

  1. Download and install Microsoft Network Monitor: https://www.microsoft.com/en-in/download/details.aspx?id=4865
  1. Launch Microsoft Network Monitor and open the ETL file:
  1. Click Tools > Options:

23

Navigate to Parser Profiles tab, right click on Windows and click Set as Active:

22

Drill down to the NDISPacCap node:

21

For the purpose of this demonstration, we’ll be searching for an SMB path that contains the string college.

Click on Load Filter > Standard Filters > SMB > SmbFileName:

20

Update the string to look up and click Apply:

19

Hope this helps anyone who may be looking for a alternative method for capturing network traffic and analyzing it in an environment that may not have Wireshark available.