 | 1 | initial version |
Of course the best way to capture initial network activity is from outside the device, using a tap or a monitor port on a switch.
Regarding Windows:
Windows has a build in tool 'netsh trace' that allows to start capturing as soon as an interface starts up. Thus capturing the OS's first DHCP or ARP requests on that interface and incoming traffic.
See also the answer to a similar question: Is there a way for wireshark to start upon computer startup
