Wireshark · Wireshark-users: Re: [Wireshark-users] Question regarding cap export from netsh etl using message analyzer

[Ran Shenhar <ran.shenhar@xxxxxxxxx>]

Thanks Guy.

I also posted a similar question on Microsoft's Analyzer forum and got the following response:
"Was it on a wireless interface?

Wireshark is missing dissectors for the wireless frame we use when the built-in NDIS driver captures the data.  There might also be some other kinds of ETL traffic wireshark can't parse, but the TZSP protocol is something I've seen with wireless data."
(on http://social.technet.microsoft.com/Forums/en-US/messageanalyzer/thread/25dcf65d-0d18-4d11-b25a-a5d3aa4a81e9/)

With all that being said, is there a plan to fix this?

Thanks.

On Thu, Oct 17, 2013 at 11:38 PM, Ran Shenhar <ran.shenhar@xxxxxxxxx> wrote:

Forgot to mention - Wireshark 1.10.2 64 bit.

Found https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6694, so also tried opening on Ubuntu with Wireshark 1.6.7 64 bit.

Installed the 32 bit portable Windows app - same result.

On Thu, Oct 17, 2013 at 11:25 PM, Ran Shenhar <ran.shenhar@xxxxxxxxx> wrote:

I have a Win machine I can't install Wireshark on.

So I figured I'd use "netsh trace start capture=yes Ethernet.Type=IPv4 traceFile=d:\ip.trace2.etl maxsize=20" to capture, then follow http://blogs.technet.com/b/yongrhee/archive/2013/08/16/so-you-want-to-use-wireshark-to-read-the-netsh-trace-output-etl.aspx to export and read in Wireshark.

The problem is that the exported file opens up with all packets marked as TZSP and malformed.

Is there a better way to doing that? Other tools to convert etl to pcap?

Thanks,