Microsoft Windows [Version 6.1.7000] (C) Copyright 2009 Microsoft Corp. C:\Windows>netsh wfp show netevents ?
Usage: show netevents
[[ file = ]| - ][[ protocol = ]][[ localaddr = ]][[ remoteaddr = ]][[ localport = ]][[ remoteport = ]][[ appid = ]][[ userid = ]][[ timewindow = ]]
Parameters:
Tag Value
file - Output file name. The default is 'netevents.xml'.
If this parameter is set to the dash character,
'file = -', the output is written only to the console.
protocol - The IP protocol. This must be an integer.
localaddr - The IP addresses. 'localaddr' is the local IP address,
remoteaddr and 'remoteaddr' is the remote IP address.
The addresses are either IPv4 or IPv6.
If both local and remote addresses are specified,
they both must belong to the same address family.
localport - The ports. 'localport' is the local port,
and 'remoteport' is the remote port.
remoteport They must be integers.
appid - The application sending or receiving the traffic
on the local host.
This either an NT path such as
'\device\harddiskvolume1\windows\system32\ftp.exe'
or a DOS path such as
'c:\Windows\System32\ftp.exe'
The supplied path must exist.
userid - The user sending or receiving the traffic
on the local host. The userid may be a SID
(such as 'S-1-5-18') or
a user name (such as 'nt authority\system').
timewindow - Limits the output to network events that occurred
within a specified number of seconds.
This must be an integer.
Remarks: Displays recent network events matching the specified traffic parameters.
