This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Opening etl file cap conversions

0

so. I have recently been capturing traces with the netsh command, because it is a lot easier for quickly doing something. The only drawback I have noticed is that the .etl file I capture and then convert to .cap wont dissect the wlan traffic. LAN Traffic no problem.

According to https://social.technet.microsoft.com/Forums/en-US/25dcf65d-0d18-4d11-b25a-a5d3aa4a81e9/exporting-etl-cap-getting-nonreadable-cap-file?forum=messageanalyzer the data is all there, but Wireshark can't read it due to missing dissectors for NDIS? Is this true? If yes, is this in the works or what must be done to create one?

To be honest, the scenario is oh so useful.. I have a machine that is showing problems right now, I open a cmd and start a trace. no reboot, no install, nothing extra installed to change things. The data is kinda useless to me in etl format as I have no interest in learning another program just to read wlan traces :/

Anyone one else see this and can I/we open a change request?

asked 27 Mar '15, 00:56

DarrenWright's gravatar image

DarrenWright
216141520
accept rate: 26%

I just ran some tests using both wired and wireless connections and the convertion is fine, I see the same data in both Wireshark 1.99.x and Message Analyzer 1.2.

What version of Wireshark are you using and what are you using (and version) to do the conversion?

(27 Mar '15, 08:25) grahamb ♦

I am on WS 1.12.4 an MSMA 1.2. Both newest I can get.

MA / Save as / export

I have a cap file and an etl.

(31 Mar '15, 04:22) DarrenWright

2 Answers:

0

I think there's already an enhancement request at bugs.wireshark.org around this issue. So far no one with the required programming skills has had the time or inclination to develop the code for this.

answered 27 Mar '15, 07:03

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

That bug appears to conflate two things; the ability to read .etl files which still isn't possible, and the ability to read a .cap file converted from a .etl which does work for Ethernet connections, but apparently not for wireless ones.

(27 Mar '15, 07:44) grahamb ♦

Hi Graham. Yeah, basically it has 2 problems in one.

Reading an etl file is however kind of unrequired programming, you can just convert the etl to cap and job done. I think the only real thing is reading the converted cap file. It is not really an end of the world thing, but just a nice to have. The question was basically if this is a MS or a WireShark problem: I've been burned too often by MS with the "it's somebody elses problem (field. sorry about that :D)"

So basically the problem is that the dissector for Wireshark cannot read the converted file correctly and really does require an update? Can someone point me in the right direction?

(31 Mar '15, 03:10) DarrenWright

In my tests the .cap file was read correctly, both for wired and wireless traffic. Unless you have a .cap that isn't read correctly, I don't see a bug.

(31 Mar '15, 03:18) grahamb ♦

According to Paul Long at Microsoft, there are multiple types of 802.11 metadata, so an 802.11 .cap file from Network Monitor might work but an 802.11 .cap file from Message Analyzer might not.

(31 Mar '15, 15:56) Guy Harris ♦♦

0

"A change request" means "a bug report", which you'd file on the Wireshark Bugzilla. You'll need to attach one of the .cap files that Wireshark doesn't handle (attaching a .etl file would require converting it to .cap format).

answered 31 Mar '15, 15:55

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%