 | 1 | initial version |
As already mentioned, the best way to capture network activity during a (re)boot is from outside the computer, using a tap (or monitor port). And when using dumpcap you will miss some initial packets.
But windows has a build in capturing mechanism: netsh trace. When used with the 'persistent' option it will "survive" a reboot. Then the first captured frame after a reboot is the Window's initial DHCP request (or ARP if you don't use DHCP).
The netsh trace command is:
netsh trace start persistent=yes capture=yes maxSize=0 fileMode=single report=disabled tracefile=c:\temp\nettrace-boot.etl
Stop with:
netsh trace stop
The ETL file can be converted into a PCAPNG using etl2pcapng on GitHub.