Closed KaliszAd closed 4 years ago
maolson-msft
commented
4 years ago @KaliszAd , unfortunately the ETL format is proprietary AFAIK and therefore the only way to parse an ETL file is with the ETW APIs (OpenTrace, etc) which are only available on Windows, and I think it's unlikely they will be made crossplat any time soon.
So you'll have to run etl2pcapng on a Windows system, then you can analyze the pcapng file in *nix.
KaliszAd
commented
4 years ago @KaliszAd , unfortunately the ETL format is proprietary AFAIK and therefore the only way to parse an ETL file is with the ETW APIs (OpenTrace, etc) which are only available on Windows, and I think it's unlikely they will be made crossplat any time soon.
So you'll have to run etl2pcapng on a Windows system, then you can analyze the pcapng file in *nix.
Thank you for your effort. I of course already convert ETL-Files on Windows to pcapng... I am also aware of other options.
Probably the best would be just to open up the ETL spec and let the community do its thing without tedious reverse engineering efforts.
I have some analysis scripts for pcap (should also work on pcapng) files but they are tested only on Linux. Would it be feasible to port etl2pcapng to be able to run on Linux (and maybe macOS) as well? There seems to be some Windows dependencies in the source code. I am not sure how hard it would be to abstract those away.