Closed chadmando closed 1 year ago
maolson-msft
commented
4 years ago Hi Chad, yes, pktmon packet events are a different format and not compatible with etl2pcapng. Pktmon itself can convert its ETL packet traces to pcapng format. Run "pktmon etl2pcap help" for more info.
Maybe pktmon event detection should be added to etl2pcapng to print a helpful message to this effect.
vdepagter
commented
2 years ago Thanks for the clarification. A cool feature that etl2pcapng has is that it can add the Process PID in the packet comment. pktmon pcapng command unfortunately does not provide this functionality.
maolson-msft
commented
1 year ago I've addressed this with #74 by printing a helpful message. Actual conversion of pktmon events is, I think, out of scope for etl2pcapng for the time being.
Is there a difference in the format of the etl created using netsh trace and pktmon? When trying to convert an etl generated using pktmon the result is an empty file. Well not completely empty, but the pcapng coverted file only has this data:
\n\r\r\n\x1c\x00\x00\x00M<+\x1a\x01\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x1c\x00\x00\x00