Replace NETSH TRACE START with PowerShell

Recently as part of studying for my MCSA I have been using Message Analyzer to look at Kerberos exchanges (among other things). Yes, I really know how to party! I usually did this by starting the trace on the KDC (DC) using the good old command:


Followed by this command to stop the trace:


This works very well. I also read this great article on TechNet on streamlining remote traces. But being a bit OCD I wondered if there is a PowerShell equivalent to these commands. Well it turns out there is!

The PowerShell Way

The equivalent CmdLets to starting a trace are:

New-NetEventSession -Name "Capture" -CaptureMode SaveToFile -LocalFilePath "e:\mytrace.etl"
Add-NetEventPacketCaptureProvider -SessionName "Capture" -Level 4 -CaptureType Physical
Start-NetEventSession -Name "Capture"

And to stop the trace:

# netsh trace stop
Stop-NetEventSession -Name "Capture"
Remove-NetEventSession -Name "Capture"

Unfortunately this is a bit more verbose than the NETSH equivalent. It is also a bit of a pity the CmdLets aren’t written so the output of one can be piped to the next. But we can’t have everything.

More Features

The Add-NetEventPackageCaptureProvider cmdlet also provides additional parameters to restrict what will be captured – for example:

Add-NetEventPacketCaptureProvider -SessionName "Capture" -Level 4 -CaptureType Physical -EtherType 0x0800 -IPAddresses -IpProtocols 6,17

Will cause the trace to capture only IPv4 traffic to/from for TCP and UDP.

Remote Capture via RPC

Looking at the documentation for the New-EventSession cmdlet, it seems that it is possible to have the trace output sent to a remote host via RPC and then captured directly by Network Analyzer. I haven’t been able to get this to work as yet. Figuring out how this works and getting it going is going to be my next project (between studying for the next exam).


2 thoughts on “Replace NETSH TRACE START with PowerShell

    • Hi THere,

      It doesn’t look like the cmdlet supports setting a filter on subnet. The only way I can see would be to capture everything and then filter the capture afterwards. However, depending on the size of the subnet you might be able to generate an array of strings. For example:
      Add-NetEventPacketCaptureProvider -IPAddresses ((0..255).foreach( { “192.168.0.$_” } ))

      This would capture everything in the Class C network 192.168.0.* – however, this might not work because there could be an undocumented limit on the number of IPaddresses passed into the IPAddresses parameter.

      Hope that helps!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s