On Oct 17, 2013, at 11:25 PM, Ran Shenhar <ran.shenhar@xxxxxxxxx> wrote:
> I have a Win machine I can't install Wireshark on.
> So I figured I'd use "netsh trace start capture=yes Ethernet.Type=IPv4 traceFile=d:\ip.trace2.etl maxsize=20" to capture, then follow http://blogs.technet.com/b/yongrhee/archive/2013/08/16/so-you-want-to-use-wireshark-to-read-the-netsh-trace-output-etl.aspx to export and read in Wireshark.
> The problem is that the exported file opens up with all packets marked as TZSP and malformed.
Either this is a bug in Message Analyzer's code for converting .etl files to Network Monitor .cap files or a bug in Wireshark's code for reading Network Monitor .cap files.
If you're also using the beta version of Message Analyzer, the final version of Message Analyzer has been released:
http://blogs.technet.com/b/messageanalyzer/archive/2013/09/25/message-analyzer-has-released-a-new-beginning.aspx
Try downloading it and seeing whether it *correctly* converts .etl files to Network Monitor .cap files.
If not, or if you used the final version of Message Analyzer, try reading the .cap file in Network Monitor. If it reports an error or doesn't correctly dissect the packets, report it as a Message Analyzer bug, if there's some way to do that. If Network Monitor *does* correctly dissect the packets, report it as a Wireshark bug and attach the .cap file (if you can't attach the .cap file, we probably won't be able to find out what the problem is and thus probably won't be able to fix it; if necessary, mark the capture file or the entire bug as private).
