Steps

1.       Run CMD Line as Administrator .

2.       Insert Netsh command on CMD Line:

 netsh trace start capture=yes packettruncatebytes=512 tracefile=C:\%computername%.etl maxsize=1000 filemode=circular overwrite=yes report=no

 NOTE: In order to change the saved file name and location, modify string after "tracefile="

 3.       Once Netsh command is ran, it will continue to capture network traces in the background. Once the trace file reaches its limit of 1 GB, it will overwrite the capture data and reset the capture.

 4.       Once the intermittent issue occurs, please stop trace immediately. This will prevent the trace capture data from being overwritten.

 5.       To stop Netsh trace capture, insert the following command on the elevated CMD Line:

 netsh trace stop

 IMPORTANT!!!

The stop process might take some time to complete. Please wait until you see the following information otherwise is not possible to analyze data due to missing correlation

6.       Once the trace has finished compiling, it creates two output files saved under the directory location specified (in this case C:\ ) . The two output files created are an etl and cab files. If the trace name is unchanged then the two files will be Trace.etl and trace.cab.

IMPORTANT!!!

Prior to upload to IBM’s Microsoft Support, we need you to convert the ETL file into a PCAP.  As Microsoft’s Message Analyzer is no longer available, we suggest to ETL2PCAPNG which will take ETL file generated by NETSH and converts into a new version of the CAP format, called PCAPNG. Wireshark can read this format which is what IBM uses to analyze.

You can download etl2pcapng tool created by Matt Olsen a Microsoft developer on Github.  Current release is v1.11.0.  Further information on this can be seen in Microsoft’s article “Converting ETL Files to PCAP Files”.

Next please upload the converted Trace.etl and trace.cab to IBM’s secure upload site https://www.secure.ecurep.ibm.com/app/upload under your Case number.