Making working with netsh captures easier with etl2pcapng

Making working with netsh captures easier with etl2pcapng

In one of my prior posts I explained how to convert a .etl packet capture generated by netsh into a .cap file that can be read by WireShark. Two years ago, a far simpler solution was made available called etl2pcapng.exe which can be downloaded from Microsoft's github page. To now convert a .etl file to a file which can be parsed by WireShark you just run a simple cmdline application:

etl2pcapng.exe NetTrace.etl NetTrace.pcapng

This means the workflow is now much simpler and can all be done from the cmdline:

etl2pcapng1-1

Which gives us a nice clean view once we fire up WireGuard that no longer requires use of the !netmon_event to clean up the output:

etl2pcapng2-1