Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

As already mentioned, the best way to capture network activity during a (re)boot is from outside the computer, using a tap (or monitor port). And when using dumpcap you will miss some initial packets.

But windows has a build in capturing mechanism: netsh trace. When used with the 'persistent' option it will "survive" a reboot. Then the first captured frame after a reboot is the Window's initial DHCP request (or ARP if you don't use DHCP).

The netsh trace command is:

netsh trace start persistent=yes capture=yes maxSize=0 fileMode=single report=disabled tracefile=c:\temp\nettrace-boot.etl

Stop with:

netsh trace stop

The ETL file can be converted into a PCAPNG using etl2pcapng on GitHub.