Wireshark mailing list archives
Re: Question regarding cap export from netsh etl using message analyzer
From: Guy Harris <guy () alum mit edu>
Date: Fri, 18 Oct 2013 01:04:15 -0700
On Oct 17, 2013, at 11:25 PM, Ran Shenhar <ran.shenhar () gmail com> wrote:
I have a Win machine I can't install Wireshark on. So I figured I'd use "netsh trace start capture=yes Ethernet.Type=IPv4 traceFile=d:\ip.trace2.etl maxsize=20" to capture, then follow http://blogs.technet.com/b/yongrhee/archive/2013/08/16/so-you-want-to-use-wireshark-to-read-the-netsh-trace-output-etl.aspx to export and read in Wireshark. The problem is that the exported file opens up with all packets marked as TZSP and malformed.
Either this is a bug in Message Analyzer's code for converting .etl files to Network Monitor .cap files or a bug in
Wireshark's code for reading Network Monitor .cap files.
If you're also using the beta version of Message Analyzer, the final version of Message Analyzer has been released:
http://blogs.technet.com/b/messageanalyzer/archive/2013/09/25/message-analyzer-has-released-a-new-beginning.aspx
Try downloading it and seeing whether it *correctly* converts .etl files to Network Monitor .cap files.
If not, or if you used the final version of Message Analyzer, try reading the .cap file in Network Monitor. If it
reports an error or doesn't correctly dissect the packets, report it as a Message Analyzer bug, if there's some way to
do that. If Network Monitor *does* correctly dissect the packets, report it as a Wireshark bug and attach the .cap
file (if you can't attach the .cap file, we probably won't be able to find out what the problem is and thus probably
won't be able to fix it; if necessary, mark the capture file or the entire bug as private).
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Question regarding cap export from netsh etl using message analyzer Ran Shenhar (Oct 17)
- Re: Question regarding cap export from netsh etl using message analyzer Ran Shenhar (Oct 17)
- Re: Question regarding cap export from netsh etl using message analyzer Ran Shenhar (Oct 21)
- Re: Question regarding cap export from netsh etl using message analyzer Guy Harris (Oct 21)
- Re: Question regarding cap export from netsh etl using message analyzer Ran Shenhar (Oct 21)
- Re: Question regarding cap export from netsh etl using message analyzer Guy Harris (Oct 18)
- Re: Question regarding cap export from netsh etl using message analyzer Guy Harris (Oct 18)
- Re: Question regarding cap export from netsh etl using message analyzer Ran Shenhar (Oct 17)