%3CLINGO-SUB%20id%3D%22lingo-sub-1133297%22%20slang%3D%22en-US%22%3EConverting%20ETL%20Files%20to%20PCAP%20Files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1133297%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHello.%20Sean%20Greenbaum%20here%20with%20a%20tale%20from%20the%20field.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20many%20of%20you%20have%20probably%20experienced%2C%20when%20working%20with%20Microsoft%20Premier%20support%2C%20you%E2%80%99ll%20often%20be%20asked%20to%20capture%20some%20data%20and%20upload%20it%20to%20Microsoft%20for%20analysis.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMaybe%20y%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eou%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewant%20to%20review%20that%20data%20yourself%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Maybe%20you%20or%20your%20staff%20also%20has%20the%20technical%20expertise%20to%20review%20the%20data%20and%20make%20some%20preliminary%20observations%20while%20waiting%20for%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Support%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20complete%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Einvestigation%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20your%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eissue%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Brequires%20network%20traces%20to%20be%20captured%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Support%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bwill%20often%20ask%20you%20to%20capture%20the%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Em%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Brunning%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ebuilt-in%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Butility%20called%20NETSH.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%222%22%20id%3D%22toc-hId--1413604240%22%20id%3D%22toc-hId--1413603559%22%20id%3D%22toc-hId--1413603559%22%20id%3D%22toc-hId--1413603559%22%20id%3D%22toc-hId--1413603559%22%20id%3D%22toc-hId--1413603559%22%20id%3D%22toc-hId--1413603559%22%20id%3D%22toc-hId--1413603559%22%20id%3D%22toc-hId--1413603559%22%20id%3D%22toc-hId--1413603559%22%20id%3D%22toc-hId--1413603559%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESome%20Background%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENETSH%20is%20a%20great%20tool%20built%20into%20the%20Windows%20OS%20and%20can%20be%20used%20to%20configure%20many%20parts%20of%20the%20networking%20stack%20within%20your%20Windows%20OS.%20You%20can%20read%20all%20about%20what%20NETSH%20can%20be%20used%20for%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fnetworking%2Ftechnologies%2Fnetsh%2Fnetsh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehere%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20When%20using%20NETSH%20to%20capture%20a%20network%20trace%2C%20it%20generates%20a%20specialized%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efile%20with%20an%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BETL%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfile%20extension%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFor%20the%20last%20few%20years%2C%20Microsoft%20has%20used%20a%20variety%20of%20tools%20to%20decode%20and%20view%20the%20data%20in%20ETL%20files%2C%20mainly%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENetMon%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20Windows%20Performance%20Analyzer%20and%20Microsoft%20Message%20Analyzer.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENo%20improvements%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D4865%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ENetmon%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehave%20been%20made%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esince%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2010%20but%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bis%20still%20available%20for%20download%20from%20Microsoft%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Ftest%2Fwpt%2Fwindows-performance-analyzer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWindows%20Performance%20Analyzer%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bis%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ea%20great%20tool%20to%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bview%20ETL%20files%20that%20contain%20system%20performance%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edata%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20but%20not%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%20best%20thing%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efor%20network%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etraces.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BThis%20brings%20us%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmessage-analyzer%2Fmicrosoft-message-analyzer-operating-guide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20Message%20Analyzer%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Message%20Analyzer%20was%20our%20tool%20to%20capture%2C%20display%20and%20analyze%20protocol%20messaging%20traffic.%20It%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecan%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bopen%20ETL%20files%20and%20decode%20the%20networking%20data%20contained%20within.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIt%20also%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecan%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bexport%20that%20data%20into%20a%20standard%20.CAP%20file%20which%20could%20then%20be%20used%20by%20lots%20of%20other%20networking%20applications%20like%20Wireshark.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%222%22%20id%3D%22toc-hId-1073908593%22%20id%3D%22toc-hId-1073909274%22%20id%3D%22toc-hId-1073909274%22%20id%3D%22toc-hId-1073909274%22%20id%3D%22toc-hId-1073909274%22%20id%3D%22toc-hId-1073909274%22%20id%3D%22toc-hId-1073909274%22%20id%3D%22toc-hId-1073909274%22%20id%3D%22toc-hId-1073909274%22%20id%3D%22toc-hId-1073909274%22%20id%3D%22toc-hId-1073909274%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20issue%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20that%20we%20have%20some%20background%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elet's%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Btalk%20about%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ea%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Brecent%20support%20issue%20I%20ran%20into.%20One%20of%20my%20customers%20was%20having%20some%20issues%20which%20required%20us%20to%20take%20a%20network%20trace.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESupport%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Basked%20that%20they%20run%20the%20standard%20network%20trace%20capture%20command%20and%20switches%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENetsh%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Btrace%20start%20capture%3Dyes%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etracefile%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3Dc%3A%5Ctemp%5C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%25%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecomputername%25.etl%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emaxsize%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3D1024%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efilemode%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3Dcircular%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E(Note%3A%20If%20working%20with%20Microsoft%20Support%2C%20the%20Support%20Engineer%20may%20give%20you%20a%20slightly%20modified%20version%20of%20this%20command%20to%20enable%20certain%20trace%20options%20specific%20to%20your%20reported%20issue.%20Use%20the%20switches%20they%20provide%20you%20if%20asked.)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20623px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167698iC02E1F0DD7236F27%2Fimage-dimensions%2F623x224%3Fv%3D1.0%22%20width%3D%22623%22%20height%3D%22224%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWith%20the%20trace%20now%20running%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%20issue%20now%20needs%20to%20be%20reproduced.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20reproduced%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Estop%20the%20trace%20to%20generate%20the%20ETL%20file.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335551550%26quot%3B%3A1%2C%26quot%3B335551620%26quot%3B%3A1%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENetsh%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Btrace%20stop%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20632px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167699iAD38BD647392CDD8%2Fimage-dimensions%2F632x169%3Fv%3D1.0%22%20width%3D%22632%22%20height%3D%22169%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENotice%20that%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BNETSH%20trace%20generated%20an%20ETL%20file%20and%20saved%20i%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Et%20in%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efolder%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bspecified%20when%20starting%20the%20trace%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20It%20also%20captures%20some%20related%20diagnostic%20information%20and%20compresses%20that%20information%20into%20a%20CAB%20file.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20618px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167700iF4F62EC1361DC73E%2Fimage-dimensions%2F618x216%3Fv%3D1.0%22%20width%3D%22618%22%20height%3D%22216%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAt%20this%20point%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ES%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eupport%20will%20ask%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efor%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eeither%20the%20ETL%20file%2C%20or%20both%20the%20ETL%20and%20CAB%20file%20depending%20on%20the%20information%20they%20are%20looking%20for%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20to%20be%20uploaded%20for%20analysis%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Support%20will%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Banalyze%20the%20data%20and%20will%20report%20back%20with%20any%20conclusions%20or%20next%20steps.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBut%20what%20if%20you%20want%20to%20review%20the%20captured%20data%20as%20well%3F%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ES%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eimply%20opening%20the%20CAB%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efile%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Byou%20can%20see%20there%20are%20lots%20of%20TXT%20files%20with%20human%20readable%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ES%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eystem%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Enformation%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ER%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eegistry%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EK%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eeys%2C%20and%20Event%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EL%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eogs%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20But%20the%20ETL%20file%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bhas%20all%20the%20network%20trace%20data.%20How%20do%20you%20get%20into%20that%3F%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BWell%2C%20as%20I%20mentioned%20above%2C%20Microsoft%20has%20the%20Microsoft%20Message%20Analyzer%20which%20can%20open%20these%20files%20and%20even%20convert%20them%20to%20a%20format%20other%20networking%20tools%20can%20read.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20advised%20my%20customer%20to%20download%20this%20tool%20and%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Euse%20it%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ereview%20the%20network%20traces%20while%20Support%20is%20doing%20the%20same.%20Except%2C%20we%20ran%20into%20a%20problem.%20Microsoft%20Message%20Analyzer%20has%20been%20discontinued.%20Even%20worse%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fblog%2Fms-winintbloglp%2Fdd98b93c-0a75-4eb0-b92e-e760c502394f%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20has%20pulled%20Microsoft%20Message%20Analyzer%3C%2FA%3E%20from%20all%20official%20download%20locations%20effective%20November%2025%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eth%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%202019.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAnd%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethere%20is%20no%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ereplacement%20in%20development%20as%20of%20the%20time%20of%20this%20posting.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGreat.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESurely%2C%20our%20customers%20will%20want%20to%20be%20able%20to%20generate%20and%20analyze%20their%20own%20network%20traces%20without%20needing%20to%20rely%20on%20Microsoft%20Support.%20Installing%20another%20tool%20on%20your%20systems%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20capture%20network%20traces%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bisn%E2%80%99t%20always%20going%20to%20be%20an%20acceptable%20option%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bin%20many%20companies%20either%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20How%20can%20we%20convert%20these%20ETL%20files%20that%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ebuilt-in%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Btooling%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Egenerates%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%222%22%20id%3D%22toc-hId--733545870%22%20id%3D%22toc-hId--733545189%22%20id%3D%22toc-hId--733545189%22%20id%3D%22toc-hId--733545189%22%20id%3D%22toc-hId--733545189%22%20id%3D%22toc-hId--733545189%22%20id%3D%22toc-hId--733545189%22%20id%3D%22toc-hId--733545189%22%20id%3D%22toc-hId--733545189%22%20id%3D%22toc-hId--733545189%22%20id%3D%22toc-hId--733545189%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20solution%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWelcome%20to%20the%20world%20of%20Open%20Source%20software.%20In%20this%20case%2C%20it%20turns%20out%20one%20of%20our%20Microsoft%20Developers%2C%20Matt%20Olson%2C%20thought%20of%20this%20already.%20Using%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eofficial%20Microsoft%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EGitHub%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brepo%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20he%20wrote%20and%20published%20an%20open%20source%20tool%20that%20does%20exactly%20that%2C%20named%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fetl2pcapng%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EETL2PCAPNG%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EETL2PCAPNG%20takes%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ean%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BETL%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efile%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethat%20was%20generated%20using%20NETSH%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bconverts%20the%20network%20frames%20to%20a%20new%20version%20of%20the%20CAP%20format%2C%20called%20PCAPNG.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EStandard%20network%20analysis%20tools%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elike%20Wireshark%20can%20read%20this%20format%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335551550%26quot%3B%3A1%2C%26quot%3B335551620%26quot%3B%3A1%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20you%20don%E2%80%99t%20feel%20like%20building%20the%20tool%20from%20source%2C%20check%20out%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fetl2pcapng%2Freleases%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EReleases%20section%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bon%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGitHub%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20find%20the%20latest%20prebuilt%20executable.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20allows%20you%20to%20generate%20the%20ETL%20file%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bon%20the%20server%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20copy%20to%20your%20local%20machine%2C%20or%20approved%20jump%20box%2Ftools%20machine%2Fetc%26nbsp%3Band%20convert%20the%20ETL%20file%20there.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETo%20convert%20your%20ETL%20file%20the%20command%20is%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EEtl2pcapng.exe%26nbsp%3Bfile.etl%26nbsp%3Bnewfile.pcapng%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUsing%20that%20to%20convert%20the%20ETL%20file%20I%20captured%20earlier%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20623px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167701iD59B6AE91427EE87%2Fimage-dimensions%2F623x306%3Fv%3D1.0%22%20width%3D%22623%22%20height%3D%22306%22%20alt%3D%22clipboard_image_3.png%22%20title%3D%22clipboard_image_3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20I%20can%20open%20the%20PCAPNG%20file%20in%20my%20favorite%20networking%20tool%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHappy%20troubleshooting%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1133297%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20post%2C%20lets%20look%20into%20how%20to%20convert%20ETL%20files%20captured%20by%20NETSH%20into%20a%20.PCAP%20file%20format%20that%20can%20be%20used%20by%20other%20network%20trace%20applications.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1133297%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESeanGreenbaum%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1150408%22%20slang%3D%22en-US%22%3ERe%3A%20Converting%20ETL%20Files%20to%20PCAP%20Files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1150408%22%20slang%3D%22en-US%22%3EYou%20sure%3F%20Every%20time%20MS%20support%20has%20wanted%20network%20traces%2C%20they've%20insisted%20that%20I%20install%20wireshark%20and%20don't%20seem%20to%20understand%20why%20anyone%20would%20be%20reluctant%20to%20do%20that%20on%20a%20production%20server%20that%20is%20in%20use.%20Most%20of%20them%20had%20never%20heard%20of%20message%20analyzer%20and%20have%20no%20idea%20how%20to%20use%20netsh.%20Also%2C%20who%20is%20the%20joker%20that%20decided%20to%20quickly%20and%20quietly%20get%20rid%20of%20message%20analyzer%3F%20It's%20was%20one%20of%20the%20increasingly%20fewer%20tools%20from%20MS%20that%20was%20still%20very%20useful%2C%20and%20I%20rely%20on%20it%20pretty%20often.%20I%20can't%20really%20stress%20enough%20how%20much%20it%20needs%20to%20be%20put%20back%20ASAP.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1220808%22%20slang%3D%22en-US%22%3ERe%3A%20Converting%20ETL%20Files%20to%20PCAP%20Files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1220808%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20article.%20There%20are%20so%20many%20hidden%20gems%20on%20GitHub%2C%20but%20sometimes%20it%20takes%20an%20article%20like%20this%20to%20lead%20us%20to%20them.%20The%20tool%20works%20great.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1371916%22%20slang%3D%22en-US%22%3ERe%3A%20Converting%20ETL%20Files%20to%20PCAP%20Files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1371916%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F162290%22%20target%3D%22_blank%22%3E%40Sean%20Greenbaum%3C%2FA%3E%26nbsp%3B%2C%20THANK%20YOU.%20Not%20later%20than%20today%2C%20I%20also%20noticed%20that%20message%20analyzer%20was%20out%20of%20support.%20I%20ignore%20during%20weeks%20the%20errors%20message%20telling%20blah%20blah.%20I%20will%20grab%20that%20from%20github.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239482%22%20target%3D%22_blank%22%3E%40Jordan%20Mills%3C%2FA%3E%26nbsp%3B%2C%20wireshark%20is%20nice%2C%20powerful%20etc%2C%20but%20since%20we%20can%20do%20%22netsh%20trace%20start%22%20%2C%20i%20no%20longer%20install%20wireshark.%20Netsh%20%2C%20you%20don't%20need%20to%20maintain%20it%20too.%20And%20you%20can%20use%20some%20filter%20very%20handy%20to%20remove%20noise%20and%20things%20not%20relevant.%20When%20have%20your%20trace%2C%20you%20can%20copy%20it%20and%20conduct%20the%20analysis%20with%20the%20shark.%20Give%20a%20try%20to%20netsh%20trace%2C%20it%20is%20very%20easy%20%3B).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1372101%22%20slang%3D%22en-US%22%3ERe%3A%20Converting%20ETL%20Files%20to%20PCAP%20Files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1372101%22%20slang%3D%22en-US%22%3E%3CP%3EChristopheCLDC%20I%20think%20you%20misread%20my%20post.%26nbsp%3B%20Message%20analyzer%20uses%20exactly%20the%20same%20interface%20as%20netsh%20(and%20New-NetEventSession).%26nbsp%3B%20It's%20all%20built%20into%20the%20OS%2C%20no%20installation%20or%20configuration%20required.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405769%22%20slang%3D%22en-US%22%3ERe%3A%20Converting%20ETL%20Files%20to%20PCAP%20Files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405769%22%20slang%3D%22en-US%22%3E%3CP%3ESince%20all%20MS%20network%20analysis%20tool%20are%20deprecated%20(netmon%20and%20message%20analyzer)%2C%20Hopefully%20some%20day%20in%20the%20future%20Microsoft%20will%20work%20with%20Wireshark%20team%20and%20help%20them%20to%20have%20built-in%20elt%20parsers%20directly%20in%20Wireshark....%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406069%22%20slang%3D%22en-US%22%3ERe%3A%20Converting%20ETL%20Files%20to%20PCAP%20Files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406069%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20sure%3F%26nbsp%3B%20What%20about%20pktmon.exe%3F%26nbsp%3B%20It%20was%20added%20to%20windows%2010%20in%20October%202018%2C%20and%20seems%20to%20use%20the%20same%20ETL%20interface%20that%20netsh%20and%20powershell%20use%20(and%20I've%20seen%20nothing%20about%20either%20of%20those%20being%20sabotaged%20either).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20would%20microsoft%20kill%20such%20a%20useful%20tool%20as%20message%20analyzer%20when%20so%20many%20people%20are%20actively%20using%20it%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1795139%22%20slang%3D%22en-US%22%3ERe%3A%20Converting%20ETL%20Files%20to%20PCAP%20Files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1795139%22%20slang%3D%22en-US%22%3E%3CP%3ESadly%20etl2pcapng%20doesn't%20work%20as%20well%20as%20the%20message%20analyser%20export.%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BCapturing%20VPN%20traffic%20I%20find%20the%20resulting%20pcap%20is%20missing%20that%20VPN%20traffic%20even%20though%20it%20is%20present%20in%20the%20etl%20file%20and%20is%20properly%20produced%20by%20the%20pcap%20export%20in%20Message%20analyser.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Enetsh%20trace%20capture%20used%20to%20get%20traffic%20before%20it%20goes%20into%20and%20after%20it%20comes%20out%20of%20the%20VPN%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Enetsh%20trace%20start%20provider%3DMicrosoft-Windows-Ras-NdisWanPacketCapture%20Ethernet.Type%3D(IPv4%2CIPv6%2C0)%20Wifi.Type%3DData%20capture%3Dyes%20correlation%3Ddisable%20overwrite%3Dyes%20tracefile%3Dvpn-traffic.etl%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello. Sean Greenbaum here with a tale from the field.  

 

As many of you have probably experienced, when working with Microsoft Premier support, you’ll often be asked to capture some data and upload it to Microsoft for analysis. Maybe you want to review that data yourself. Maybe you or your staff also has the technical expertise to review the data and make some preliminary observations while waiting for Microsoft Support to complete the investigation 

 

If your issue requires network traces to be captured, Microsoft Support will often ask you to capture them running a built-in utility called NETSH. 

 

Some Background 

NETSH is a great tool built into the Windows OS and can be used to configure many parts of the networking stack within your Windows OS. You can read all about what NETSH can be used for here. When using NETSH to capture a network trace, it generates a specialized file with an ETL file extension. 

 

For the last few years, Microsoft has used a variety of tools to decode and view the data in ETL files, mainly NetMon, Windows Performance Analyzer and Microsoft Message Analyzer. No improvements to Netmon have been made since 2010 but is still available for download from MicrosoftWindows Performance Analyzer is a great tool to view ETL files that contain system performance data, but not the best thing for network traces. This brings us to Microsoft Message Analyzer

 

Microsoft Message Analyzer was our tool to capture, display and analyze protocol messaging traffic. It can open ETL files and decode the networking data contained within. It also can export that data into a standard .CAP file which could then be used by lots of other networking applications like Wireshark. 

 

The issue 

Now that we have some background, let's talk about a recent support issue I ran into. One of my customers was having some issues which required us to take a network trace. Microsoft Support asked that they run the standard network trace capture command and switches: 

  • Netsh trace start capture=yes tracefile=c:\temp\%computername%.etl maxsize=1024 filemode=circular 

(Note: If working with Microsoft Support, the Support Engineer may give you a slightly modified version of this command to enable certain trace options specific to your reported issue. Use the switches they provide you if asked.) 

clipboard_image_0.png

 

With the trace now running, the issue now needs to be reproduced. 

Once reproduced, stop the trace to generate the ETL file. 

  • Netsh trace stop 

clipboard_image_1.png

 

Notice that NETSH trace generated an ETL file and saved it in the folder specified when starting the trace. It also captures some related diagnostic information and compresses that information into a CAB file. 

clipboard_image_2.png

 

At this point, Support will ask for either the ETL file, or both the ETL and CAB file depending on the information they are looking for, to be uploaded for analysisMicrosoft Support will analyze the data and will report back with any conclusions or next steps. 

 

But what if you want to review the captured data as well? Simply opening the CAB file you can see there are lots of TXT files with human readable System Information, Registry Keys, and Event Logs. But the ETL file has all the network trace data. How do you get into that? Well, as I mentioned above, Microsoft has the Microsoft Message Analyzer which can open these files and even convert them to a format other networking tools can read. 

 

I advised my customer to download this tool and use it to review the network traces while Support is doing the same. Except, we ran into a problem. Microsoft Message Analyzer has been discontinued. Even worse, Microsoft has pulled Microsoft Message Analyzer from all official download locations effective November 25th, 2019. And there is no replacement in development as of the time of this posting. 

 

Great.  

 

Surely, our customers will want to be able to generate and analyze their own network traces without needing to rely on Microsoft Support. Installing another tool on your systems to capture network traces isn’t always going to be an acceptable option in many companies either. How can we convert these ETL files that the built-in tooling generates? 

 

The solution 

Welcome to the world of Open Source software. In this case, it turns out one of our Microsoft Developers, Matt Olson, thought of this already. Using the official Microsoft GitHub repo, he wrote and published an open source tool that does exactly that, named ETL2PCAPNG

 

ETL2PCAPNG takes an ETL file that was generated using NETSH and converts the network frames to a new version of the CAP format, called PCAPNG. Standard network analysis tools like Wireshark can read this format. 

 

If you don’t feel like building the tool from source, check out the Releases section on the GitHub to find the latest prebuilt executable.  

 

This allows you to generate the ETL file on the server, copy to your local machine, or approved jump box/tools machine/etc and convert the ETL file there. To convert your ETL file the command is: 

Etl2pcapng.exe file.etl newfile.pcapng 

 

Using that to convert the ETL file I captured earlier: 

clipboard_image_3.png

 

 

Now I can open the PCAPNG file in my favorite networking tool. 

Happy troubleshooting. 

7 Comments
New Contributor
You sure? Every time MS support has wanted network traces, they've insisted that I install wireshark and don't seem to understand why anyone would be reluctant to do that on a production server that is in use. Most of them had never heard of message analyzer and have no idea how to use netsh. Also, who is the joker that decided to quickly and quietly get rid of message analyzer? It's was one of the increasingly fewer tools from MS that was still very useful, and I rely on it pretty often. I can't really stress enough how much it needs to be put back ASAP.
Occasional Visitor

Thanks for the article. There are so many hidden gems on GitHub, but sometimes it takes an article like this to lead us to them. The tool works great.

Senior Member

@Sean Greenbaum , THANK YOU. Not later than today, I also noticed that message analyzer was out of support. I ignore during weeks the errors message telling blah blah. I will grab that from github.

@Jordan Mills , wireshark is nice, powerful etc, but since we can do "netsh trace start" , i no longer install wireshark. Netsh , you don't need to maintain it too. And you can use some filter very handy to remove noise and things not relevant. When have your trace, you can copy it and conduct the analysis with the shark. Give a try to netsh trace, it is very easy ;). 

New Contributor

ChristopheCLDC I think you misread my post.  Message analyzer uses exactly the same interface as netsh (and New-NetEventSession).  It's all built into the OS, no installation or configuration required.

Microsoft

Since all MS network analysis tool are deprecated (netmon and message analyzer), Hopefully some day in the future Microsoft will work with Wireshark team and help them to have built-in elt parsers directly in Wireshark.... 

New Contributor

Are you sure?  What about pktmon.exe?  It was added to windows 10 in October 2018, and seems to use the same ETL interface that netsh and powershell use (and I've seen nothing about either of those being sabotaged either).

 

Why would microsoft kill such a useful tool as message analyzer when so many people are actively using it? 

Occasional Visitor

Sadly etl2pcapng doesn't work as well as the message analyser export.     Capturing VPN traffic I find the resulting pcap is missing that VPN traffic even though it is present in the etl file and is properly produced by the pcap export in Message analyser.

 

netsh trace capture used to get traffic before it goes into and after it comes out of the VPN

 

netsh trace start provider=Microsoft-Windows-Ras-NdisWanPacketCapture Ethernet.Type=(IPv4,IPv6,0) Wifi.Type=Data capture=yes correlation=disable overwrite=yes tracefile=vpn-traffic.etl