aaptel
commented
3 years ago Can you provide a buggy trace (as small as possible)?
Open peterschen opened 3 years ago
aaptel
commented
3 years ago Can you provide a buggy trace (as small as possible)?
peterschen
commented
3 years ago Apologies for the delay. captures_diag--600d-54pf-2021-05-19-16-52.zip shows the described behavior.
peterschen
commented
3 years ago @aaptel Did that trace help?
manorit2001
commented
3 years ago I also got the same error, when trace was started as netsh trace start traceFile=log.etl capture=yes
[*] reading etl file ../logs/log.etl in memory...
[*] looking for etl frames...
WMI 0x0
EV 0x48
EV 0x1d8
WMI 0x80000
EV 0x80048
EV 0x80098
EV 0x80108
EV 0x80170
EV 0x801b0
EV 0x80218
EV 0x80288
EV 0x802f8
EV 0x80358
EV 0x803b0
EV 0x80420
EV 0x80470
EV 0x804d8
EV 0x80518
EV 0x80568
EV 0x80c38
Traceback (most recent call last):
File "/home/user/Projects/malware-analysis/clean-analysis/analysis/etl2pcap/etl2pcap.py", line 219, in <module>
main()
File "/home/user/Projects/malware-analysis/clean-analysis/analysis/etl2pcap/etl2pcap.py", line 52, in main
etl_to_pcap(args.etl, args.pcap)
File "/home/user/Projects/malware-analysis/clean-analysis/analysis/etl2pcap/etl2pcap.py", line 119, in etl_to_pcap
for t, data in etl_frames(etl_data):
File "/home/user/Projects/malware-analysis/clean-analysis/analysis/etl2pcap/etl2pcap.py", line 96, in etl_frames
assert(frag_size == ev_left)
AssertionError
netsh traces on certain builds of Windows Server 2019 did not contain any packets. I've started to use NetEventPacketCapture to take captures on these builds. etl2pcapng can convert them but I'd love to have a utility I can use on Linux.
When converting traces created by NetEventPacketCapture I get the following Error: