3


I'm using the windows platform tools named "netsh" to do the packet capture.
But I can't filter a specified port even when I REALLY do the correct configurations.

I using the following command to start a packet capture task:

netsh trace start capture=yes overwrite=yes correlation=no traceFile=file.dump CaptureInterface=Ethernet0 IPv4.Address=10.130.161.1 protocol=TCP providerFilter=yes provider=Microsoft-Windows-TCPIP TCP.AnyPort=443

As you can see, I set the TCP.AnyPort=443 to specify the port. I used this conf from the command inline help by running the command:

netsh trace show providerFilterHelp Microsoft-Windows-TCPIP

So I don't know why this can't be working.

scugxl
  • 317
  • 4
  • 15

1 Answers1

2

It seems like you are doubling up on filter types and this might be causing the strange behavior you're experiencing.

Also I found where you asked the question on technet, and it seems like using the TCPIP provider may be limiting your results as well.

Could you drop down the complexity to the following command: 

netsh trace start report=yes level=5 capture=yes Ethernet.Type=IPv4 IPv4.Address=10.130.161.1

And see if that reduces the number of results to later filter through in Message Analyzer to a more reasonable number?

You may wish to add the CaptureMultiLayer=yes switch to your command as well as this may also help catch the information that you're trying to get.

rtw
  • 21
  • 4