Capture a Network Trace

If you need to capture a network trace/TCP Dump of a client or server here are some simple ways using which usually I do this:

Capture fiddler trace

   1) Install Fiddler from http://www.telerik.com/download/fiddler/fiddler4 if not already done

   2) Launch fiddler, then click Tools > Option

   3) Click the ‘HTTPS’ tab.

   4) Verify the options are set as shown in this screenshot:

       a.   Confirm that the Decrypt HTTPS traffic is checked

      b.   If fiddler prompts you to trust their root certificates, then click ‘Yes’.

    5) Reproduce the issue while fiddler is capturing traffic.

    6) After the process issue is reproduced the trace is captured ,go to File > uncheck box next to Capture Traffic, then click File > Save > All Sessions , the trace file should be saved as .saz file. 

Capture network trace

   1) Download Network Monitor from this link:  http://www.microsoft.com/en-us/download/details.aspx?id=4865 .

   2) Install Network Monitor on machine.

   3) After Network Monitor 3.4 installation, run Start -> All Programs -> Microsoft Network Monitor 3.4 -> Microsoft Network Monitor 3.4 as an administrator.

   4) Click New Capture button on network monitor console, then click Start on capture page.

   5) Reproduce the issue.

   6) Stop network monitor by clicking Stop on network monitor console, then click Save As to save the file as .cap file.

Capture a Network Trace without installing anything

1. Open an elevated command prompt and run: "netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl" (make sure you have a \temp directory or choose another location).

2. Reproduce the issue or do a reboot if you are tracing a slow boot scenario.

 3. Open an elevated command prompt and run: "netsh trace stop"

Capture TCPDump  

   1) find the headnodehost by command: ping headnodehost. Here is example for HDInsight Cluster:

It shall be hn1 on cluster at this time.

  2) switch to root user:

 sudo su

  3) Capture the tcpdump file every 300 seconds on port 10002:

tcpdump -G 300  -w %Y_%m%d_%H%M_%S.pcap port 10002

Note: Please make sure to stop the tcmdump (Ctrl + c) after capture is finished, otherwise disk will be full of pcap files.