Support for ETL files captured by Windows Performance Recorder

[huaiyizhao]

Windows Performance Recorder (WPR) can capture a lot of system information including network activities. Directly using this tool on the ETL file produced by WPR incurs a does not contain packet capture error. WPR and this etl2pcapng are both Microsoft offical tools, so I think it may not be so complicated to support the ETL files by WPR, any plans on this?

[maolson-msft]

WPR is a general-purpose ETW controller, which can be used to collect traces from one or multiple ETW providers. Ndiscap (as mentioned in this project's readme) is a specific ETW provider whose ETW events are packets. Etl2pcapng converts the ndiscap events into a pcapng file. I'm not sure whether wpr can be used to collect ndiscap events, since ndiscap requires special logic (as implemented by "netsh trace start capture=yes") to install the ndiscap driver; but if it does support this, then you will have to specifically be collecting packet capture with wpr for it to make sense to use etl2pcapng on its etl files.