Wireshark or Netsh Trace?

Wireshark or Netsh Trace?

Wireshark is often the preferred method of doing network captures. However, what if security posture will not allow installing Wireshark on a production server? In this case, we can use the NETSH TRACE command built into Windows. This command works on all Windows machines both client and server.


Consider which machine will receive the network communication that you wish to capture. If a client is unable to connect to a server via SSL, you usually want to capture the SSL handshake which is best done from the client machine. If the issue is in between server components, you will want to capture the traffic from the server.

Here is how to run the command.

  1. Run the command prompt as administrator

  2. Type: netsh trace start capture=yes Note the path to the capture file.

  3. Reproduce the issue that we wish to capture.

  4. Type: netsh trace stop.

  5. This file can be read with Microsoft NetMon or its replacement Microsoft Message Analyzer.

  6. Zip up the file and attach to your case.

Labels (1)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Very cool Dave thanks for sharing.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-01-30 18:20
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.