via Friday Mail Sack: Gargamel Edition – Ask the Directory Services Team – Site Home – TechNet Blogs.
A cool method that is too small to rate a full blog post: if you need to get a network capture on a Windows 7 or Windows Server 2008 R2 computer and you do not have or want Netmon installed, you can use NETSH.EXE.
From an elevated CMD prompt run:
netsh trace start capture=yes tracefile=c:\yourcapture.etl
Do whatever you needed to do
netsh trace stop
Boom – network capture, written in ETL format.
Open that file in Netmon 3.4 and you get all the usual capture info, plus other conversation and process info. AND other cool stuff – open the CAB file it created and you find a bunch of useful files with IP info, firewall event logs, applied group policies, driver versions, and more. All the goo I gather manually when I am getting a capture. Sweet!