Command-Line Packet Capture on Windows Without Third-Party Tools: Scripting Source/Dest IP:Port Pairs


2 views

Windows actually includes built-in packet capture capabilities through netsh trace, which doesn't require WinPCap or third-party installations. While it's not as full-featured as Wireshark, it can capture the IP:port information you need.

netsh trace start capture=yes tracefile=c:\temp\packetcapture.etl maxsize=100MB
netsh trace stop

The output is in Event Trace Log (ETL) format. You can convert it to text format for analysis:

netsh trace convert input=c:\temp\packetcapture.etl output=c:\temp\packetcapture.txt

Use PowerShell to extract just the TCP/UDP connection information:

$connections = Get-WinEvent -Path C:\temp\packetcapture.etl -Oldest | 
    Where-Object {$_.Id -eq 1001 -or $_.Id -eq 1002} | 
    Select-Object -Property TimeCreated, Message

$connections | Export-Csv -Path C:\temp\network_connections.csv -NoTypeInformation

For more control, use WPR (included in Windows ADK):

wpr -start NetworkCapture -filemode
wpr -stop packetcapture.etl

This PowerShell script extracts source/destination pairs:

$events = Get-WinEvent -Path .\packetcapture.etl -Oldest
$networkEvents = $events | Where-Object { $_.Id -eq 1001 -or $_.Id -eq 1002 }

$connections = foreach ($event in $networkEvents) {
    if ($event.Message -match 'SrcAddr:(\d+\.\d+\.\d+\.\d+).*SrcPort:(\d+).*DstAddr:(\d+\.\d+\.\d+\.\d+).*DstPort:(\d+)') {
        [PSCustomObject]@{
            Timestamp = $event.TimeCreated
            SourceIP = $matches[1]
            SourcePort = $matches[2]
            DestIP = $matches[3]
            DestPort = $matches[4]
        }
    }
}

$connections | Export-Csv -Path connections.csv -NoTypeInformation

The native tools have some limitations:

  • No real-time streaming - captures must be stopped to analyze
  • ETL files can grow large quickly
  • More complex to parse than PCAP

For persistent monitoring, consider scheduling captures in chunks:

# Scheduled task to run every 5 minutes for 1-minute captures
$action = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c netsh trace start capture=yes tracefile=c:\temp\capture_%date:~10,4%%date:~4,2%%date:~7,2%_%time:~0,2%%time:~3,2%.etl maxsize=50MB && timeout 60 && netsh trace stop"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 5)
Register-ScheduledTask -TaskName "NetworkCapture" -Action $action -Trigger $trigger -User "SYSTEM" -RunLevel Highest

For high-volume environments or when you need protocol-level inspection, consider these lightweight CLI tools:

  • Nmap's ncat (when in capture mode)
  • RawCap (single exe, no install)
  • Microsoft Message Analyzer (now deprecated but still useful)

For Windows administrators needing lightweight network monitoring, here are built-in approaches that don't require installing WinPcap/Npcap or third-party software:

netsh trace start capture=yes maxsize=500MB tracefile=C:\capture.etl
netsh trace stop

Convert ETL to text format for analysis:

netsh trace convert input=capture.etl output=capture.txt
# Requires LogParser (part of Windows Admin Center)
Get-NetEventSession -Name "PacketCapture" | Remove-NetEventSession -ErrorAction SilentlyContinue
New-NetEventSession -Name "PacketCapture" -LocalFilePath "C:\temp\PacketCapture.etl"
Add-NetEventPacketCaptureProvider -SessionName "PacketCapture" -Level 5
Start-NetEventSession -Name "PacketCapture"

# Stop after 60 seconds
Start-Sleep -Seconds 60
Stop-NetEventSession -Name "PacketCapture"

Command-line alternative with more filtering options:

wpr -start NetworkCapture -filemode
timeout /t 30
wpr -stop C:\network_capture.etl

For IP/port extraction from ETL files:

# PowerShell example to parse network events
$events = Get-WinEvent -Path C:\capture.etl -Oldest | 
    Where-Object {$_.Id -eq 1001 -or $_.Id -eq 1002}

$events | ForEach-Object {
    $props = $_.Properties
    [PSCustomObject]@{
        SourceIP = $props[2].Value
        SourcePort = $props[3].Value
        DestIP = $props[4].Value
        DestPort = $props[5].Value
        Protocol = $props[1].Value
    }
} | Export-Csv -Path network_flows.csv

For firewall-based logging of connection attempts:

# Enable WFP logging
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

# Parse security logs
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID='5152','5157'
} | Select-Object -Property TimeCreated,Message
  • Native tools capture at higher abstraction layers than raw packets
  • ETW-based captures may miss very short-lived connections
  • For precise timing, consider the Windows Performance Analyzer (WPA) tool