Input ETL file does not contain an ndiscap packet capture.

[VIT-JNE]

Hi,

as the title suggests, analogue to https://github.com/microsoft/etl2pcapng/issues/40 I have a very similar issue. I captured about 3MB of Packet-Data in an ETL-file via: netsh trace start capture=yes tracefile=D:\temp\Netcaps\foobar-2024-02-02-11-40.etl maxsize=4 filemode=single and netsh trace stop about 20minutes later. (yeah, I know, not much traffic :P)

When I try to: etl2pcapng.exe D:\temp\Netcaps\foobar-2024-02-02-11-40.etl or etl2pcapng.exe D:\temp\Netcaps\foobar-2024-02-02-11-40.etl D:\temp\Netcaps\foobar-2024-02-02-11-40.pcapng I get the error message "Input ETL file does not contain an ndiscap packet capture."

etl2pcapng.exe worked with other captures I did.

Can anyone explain the issue to me? Or has any other suggestions?

Thanks for the tool. Normally it works wonderfully.

Greetings JNE

[VIT-JNE]

Hello again,

the symptom only appears, when I trace with netsh with the parameter filemode=single with filemode=circular and $ netsh trace stop it works.

Any idea how they differ internally format-wise? That singular-filemode doesn't work, is surely not intended this way, is it? Do you have access to Microsoft's netsh-capture-code? Or format-standards for the single and circular formats?

Enjoy your day Greetings JNE

[WilliamDuncanson]

I'm having the same issue, however, I used the Powershell NetEventPacketCapture interface to create the .etl.

[geo-msft]

I also have the same issue:

etl2pcapng.exe nettrace.etl nettraceout.pcapng Input ETL file does not contain an ndiscap packet capture.

I collected the trace with this command netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace.etl

Thanks.

[ddelafuentelks]

Same problem here. I collect the trace like:

netsh trace start capture=yes report=no persistent=no traceFile=C:\temp\captura.etl

etl2pcapng.exe captura.etl captura.pcapng Input ETL file does not contain an ndiscap packet capture.