Wireshark-users: Re: [Wireshark-users] Question regarding cap export from netsh etl using message
From: Ran Shenhar <ran.shenhar@xxxxxxxxx>
Date: Thu, 17 Oct 2013 23:38:22 -0700
Forgot to mention - Wireshark 1.10.2 64 bit.
Found https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6694, so also tried opening on Ubuntu with Wireshark 1.6.7 64 bit.
Installed the 32 bit portable Windows app - same result.


On Thu, Oct 17, 2013 at 11:25 PM, Ran Shenhar <ran.shenhar@xxxxxxxxx> wrote:
I have a Win machine I can't install Wireshark on.
So I figured I'd use "netsh trace start capture=yes Ethernet.Type=IPv4 traceFile=d:\ip.trace2.etl maxsize=20" to capture, then follow http://blogs.technet.com/b/yongrhee/archive/2013/08/16/so-you-want-to-use-wireshark-to-read-the-netsh-trace-output-etl.aspx to export and read in Wireshark.
The problem is that the exported file opens up with all packets marked as TZSP and malformed.
Is there a better way to doing that? Other tools to convert etl to pcap?

Thanks,