Network trace for specific app using Netsh

Question

I wish to do a Network trace on an app to see how its interacting with the WLAN (scenario). The resulting capture has way too much information and I'd like to focus only on how a specific app communicates with WLAN. Is there some other software that will allow me to do this? Also, it would help if someone explained the concept of scenarios and providers. Thanks!

Answer 1

If you want to capture the network traffic on an application level its Microsoft Network Monitor or if you want to go on a deeper level try Wireshark which has extensive filtering capabilities.

Answer 2

You can add filters to the netsh trace, but filtering by application or even port is not an option. I've found that filtering traffic to and from specific IP addresses is often enough. That combined with the time filtering when loading into Message Analyzer usually work to narrow down the scope of the problem.

Here is a Powershell script I use to start a new capture that only contains traffic between the local system and two remote IP addresses (10.0.2.1 and 10.0.3.1). Note the Local IP address is found using Get-NetIPAddress and looking for a NIC named *-TEAM

$filename = "c:\captures\${env:computername}_netsh_trace.etl" 
$IPs = "({0},10.0.2.1,10.0.3.1)" -f (Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias *-TEAM).IPAddress 
netsh trace start capture=yes tracefile=$filename maxsize=2048 filemode=circular overwrite=yes report=no correlation=no IPv4.SourceAddress=$IPs IPv4.DestinationAddress=$IPs Ethernet.Type=IPv4

You then use netsh trace stop to stop the capture and then open the etl file in Microsoft Message Analyzer. If you want to load only a specific time range or add other filters you can use File -> New Session -> Files and then specify your options like so: