 | 1 | initial version |
You can use the Windows netsh trace command to start a capture at boot time and then subsequently stop the capture and convert it from an ETL to a pcap file for viewing with Wireshark.
Getting the correct options for "netsh trace" isn't easy, check the documentation here.
Capturing boot time traffic is often easier if done off the target machine, e.g. with a port mirror or span on the switch or an in-line tap.
