Input ETL file does not contain an ndiscap packet capture.

[VIT-JNE]

Hi,

as the title suggests, analogue to #40 I have a very similar issue.
I captured about 3MB of Packet-Data in an ETL-file via:
netsh trace start capture=yes tracefile=D:\temp\Netcaps\foobar-2024-02-02-11-40.etl maxsize=4 filemode=single
and
netsh trace stop
about 20minutes later. (yeah, I know, not much traffic :P)

When I try to:
etl2pcapng.exe D:\temp\Netcaps\foobar-2024-02-02-11-40.etl
or
etl2pcapng.exe D:\temp\Netcaps\foobar-2024-02-02-11-40.etl D:\temp\Netcaps\foobar-2024-02-02-11-40.pcapng
I get the error message
"Input ETL file does not contain an ndiscap packet capture."

etl2pcapng.exe worked with other captures I did.

Can anyone explain the issue to me? Or has any other suggestions?

Thanks for the tool. Normally it works wonderfully.

Greetings
JNE

[VIT-JNE]

Hello again,

the symptom only appears, when I trace with netsh with the parameter
filemode=single
with filemode=circular and $ netsh trace stop it works.

Any idea how they differ internally format-wise?
That singular-filemode doesn't work, is surely not intended this way, is it?
Do you have access to Microsoft's netsh-capture-code? Or format-standards for the single and circular formats?

Enjoy your day
Greetings
JNE

[WilliamDuncanson]

I'm having the same issue, however, I used the Powershell NetEventPacketCapture interface to create the .etl.

[geo-msft]

I also have the same issue:

etl2pcapng.exe nettrace.etl nettraceout.pcapng
Input ETL file does not contain an ndiscap packet capture.

I collected the trace with this command
netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace.etl

Thanks.

[ddelafuentelks]

Same problem here. I collect the trace like:

netsh trace start capture=yes report=no persistent=no traceFile=C:\temp\captura.etl

etl2pcapng.exe captura.etl captura.pcapng
Input ETL file does not contain an ndiscap packet capture.