Utility that converts an .etl file containing a Windows network packet capture into .pcapng format.
Перейти к файлу
Matt Olson 65e2a98feb
Handle pktmon captures more gracefully (#74)
Co-authored-by: Matt Olson <maolson@ntdev.microsoft.com>
2023-06-08 16:53:46 -07:00
.github/workflows master -> main (#53) 2021-11-24 13:21:36 -05:00
src Handle pktmon captures more gracefully (#74) 2023-06-08 16:53:46 -07:00
.gitignore Switch build to be CMake based (#51) 2021-11-22 13:11:10 -08:00
CODE_OF_CONDUCT.md Initial commit 2019-09-16 16:48:43 -07:00
LICENSE Initial commit 2019-09-16 16:48:44 -07:00
README.md Update README.md (#69) 2023-06-02 09:48:05 -07:00
SECURITY.md Initial commit 2019-09-16 16:48:47 -07:00

README.md

About

This tool enables you to view ndiscap packet captures with Wireshark.

Windows ships with an inbox packet capture component called "ndiscap," which is implemented as an ETW trace provider. Due to performance problems with the other popular packet capture method (WinPcap, which was included with older versions of Wireshark), ndiscap should be preferred. A capture can be collected with:

netsh trace start capture=yes report=disabled
<repro>
netsh trace stop

The file generated by ndiscap is an etl file, which can be opened by ETW-centric tools like Microsoft Message Analyzer, but cannot be opened by Wireshark, which is the preferred tool for many engineers. Etl2pcapng.exe can convert the etl file to a pcapng file for opening with Wireshark.

Usage

Prebuilt binaries are available in the Releases section: https://github.com/microsoft/etl2pcapng/releases

Run the tool with:

etl2pcapng.exe in.etl out.pcapng

After converting the file, the tool prints a table which shows mappings between Windows interface indices and pcapng interface IDs.

The output pcapng file will have a comment on each packet indicating the PID of the current process when the packet was logged. WARNING: this is frequently not the same as the actual PID of the process which caused the packet to be sent or to which the packet was delivered, since the packet capture provider often runs in a DPC (which runs in an arbitrary process). The user should keep this in mind when using the PID information.

Building

In a command prompt in the src directory run the following. Cmake 3.15 at minimum is required.

mkdir build
cd build
cmake ..
cmake --build . --config Release

The binary will be at build/Release/etl2pcapng.exe

History

1.11.0 - Allows output filename to be omitted (e.g. "etl2pcapng.exe foo.etl". The output filename becomes "foo.pcapng").

1.10.0 - 10x faster.

1.9.0 - Adding support of Microsoft-Windows-Ras-NdisWanPacketCapture (VPN/RemoteAccess) events decoding + adding ThreadID (TID) to packet comments

1.8.0 - Adding RSS Hash value to packet comments for VMSwitch packets.

1.7.0 - Include VMSwitch packet info in packet comments.

1.6.0 - Enable ControlFlowGuard.

1.5.0 - Write iftype and ifindex into interface description blocks and statically link C runtime so vcredist doesn't need to be installed.

1.4.1 - Fix a bug leading to writing corrupt packets.

1.4.0 - Automatically infer original fragment length if captured fragments were truncated.

1.3.0 - Add a comment to each packet containing the process id (PID).

1.2.0 - Write direction info of each packet (epb_flags).

1.1.0 - Added support for multi-event packets found in traces from Win8 and older.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.