How to Capture Traffic on Proxy using NetSh on Windows

Sometimes support might ask you to capture the traffic that passes through the proxy on the network level. This short article explains how to do that using built-in tools of Microsoft Windows.

Start the Capture

In order to start the capture, being on the server where Web Filtering Proxy is installed, open the command prompt as Administrator and run the following command (the command should be on one line).

netsh trace start capture=yes tracefile=.\%computername%.etl 
        maxsize=1024 filemode=circular

The output of the command should indicate the successful start of the capture. Note that the capture runs in the background until you manually stop it.

c:\Users\Administrator.DILADELE\Downloads\tracing>netsh trace start 
        capture=yes tracefile=.\WINPROXY-AD.etl maxsize=1024 
        filemode=circular

Trace configuration:
-------------------------------------------------------------------
Status:             Running
Trace File:         C:\WINPROXY-AD.etl
Append:             Off
Circular:           On
Max Size:           1024 MB
Report:             Off

Stop the Capture

Reproduce the problem you have and after that stop the capture by running the following command in the same Administrator command prompt.

netsh trace stop

Output of the command should indicate successful capture of network packets.

c:\Users\Administrator.DILADELE\Downloads\tracing>netsh trace stop

Merging traces ... done
Generating data collection ... done

The trace file and additional troubleshooting information have been compiled as 
        "c:\Users\Administrator.DILADELE\Downloads\tracing\WINPROXY-AD.cab".

File location = c:\Users\Administrator.DILADELE\Downloads\tracing\WINPROXY-AD.etl

Tracing session was successfully stopped.

Convert and Analyze

Send the two files (WINPROXY-AD.etl and WINPROXY-AD.cab in our case) to support@diladele.com for decoding and analysis. If you need to decode yourself, use the etl2pcapng tool as shown in the references.

etl2pcapng.exe WINPROXY-AD.etl WINPROXY-AD.pcap
        IF: medium=eth                  ID=0    IfIndex=5       VlanID=0
        Converted 7440 frames

Now the resulting file WINPROXY-AD.pcap can be easily analyzed by using excellent Wireshark application.

References

Look for the following resources for more information.

• General introduction into the network captures using NetSh https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/converting-etl-files-to-pcap-files/ba-p/1133297
• GitHub repo for the conversion tool is https://github.com/microsoft/etl2pcapng