Wireless Tracing: Basic Interpretation of netsh tracing using MS Netmon – Part 2

So many clients machine still run windows?

Will you be ever see an age that has MAC or Linux domination on the client end, maybe never !

So I thought, this blog post might be a good start to get some hands-on on Windows Wireless troubleshooting.

Everyone is like: I have only limited options, it’s Windows !

I say: The road is not that narrow as you think it is. Look beyond the horizon.

A ran into Netmon a few years back and since then, it has fascinated me. I considered wireless captures to be impossible without additional hardware/software on Windows.

A great recap to that knowledge can be found right up the alley of CTS:


Great Work there by CWNEs : François (@VergesFrancois) and Rowell (@rowelldionicio)

Now, here is how you get started:

Psst , we don’t need Monitor mode here.

(CMD access with admin privileges are needed)

How to trigger/start tracing:

netsh trace start scenario = wlan tracefile=wlanwpp.etl

2018-08-28 00_59_32-Command Prompt

Stop tracing:

netsh trace stop

2018-08-28 00_59_56-Select Administrator_ Command Prompt.png

The usual location is the Users directory.

The Netmon software (Archived) can be grabbed from : https://www.microsoft.com/en-in/download/details.aspx?id=4865

Open the file with extension as “.etl”.

File — Open — Capture should help you navigate to the file.

If you see any parser errors, you might want to enable the right parser profiles in Tools — Options.

Note: The Windows parser profile should be set as active.

2018-08-29 00_17_20-Options.png

In this post, I would like to start with something simple enough.

In case of WPA2 PSK, if you enter the wrong passphrase, the conversation will never go past M1 and M2 in the context of the 4 way Handshake. We know this !

If you don’t go get you CWNA or CWSP https://www.cwnp.com/it-certifications

Learn more about the 4 way handshake:

DEEPDIVE into the wireless 4 way handshake

Posted by Network Lobby by Eddy on Sunday, September 25, 2016

Did you know that Windows 10 tries for 4 x 5 (20) times before giving up?

I don’t think its a adapter thing but more of an OS thing; I will check this on another adpater and share an update.

Here is a snippet of what and where to look for?

2018-08-29 01_42_19-Microsoft Network Monitor 3.4 - C__Users_colli_wlanwpp.etl(Converted).png

A more detailed view on what to look at in that cluttered view:

2018-08-29 01_42_19-Microsoft Network Monitor 3.4 - C__Users_colli_wlanwpp.etl(Converted).png

As you can see in the above screenshot, I was trying to connect to an SSID called Bunker and my Qualcomm Atheros adapter is also specified here.

Scrolling down, we can observe more details:

2018-08-29 01_46_40-Microsoft Network Monitor 3.4 - C__Users_colli_wlanwpp.etl(Converted).png

It’s a PSK based, CCMP protected SSID which is operating in BSS type Infra and not in adhoc mode.

What follows shows the PSK error, where I typed in the wrong pre-shared key. One can also see the M1 and M2 frames in the below snippet.

2018-08-29 01_50_14-Edit Post ‹ Enterprise Networking - The Big Picture — WordPress.com.png

and finally a successful connection with all M1, M2, M3 and M4 frames:

2018-08-29 01_54_40-Microsoft Network Monitor 3.4 - C__Users_colli_wlanwpp.etl(Converted).png

To conclude, there is a lot to derive from these traces, sometimes even as much as a 802.11 trace.

You just need to know the basics and know where to look for it.


Hope this was informational !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s