Convert etl to pcapng

** Step 1. Install-Module PowerShellGet -Force **
PowerShell => Run a Administrator

1
2
3
4
5
6
7
8
9
10
PS D:\Users\jacky> Install-Module PowerShellGet -Force

NuGet provider is required to continue
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
 provider must be available in 'D:\Program Files\PackageManagement\ProviderAssemblies' or
'D:\Users\jacky\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
import the NuGet provider now?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
PS D:\Users\jacky>

** Step2. Install-Module Convert-Etl2Pcapng -Force -AcceptLicense **
Close PowerShell
PowerShell Run a Administrator

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS D:\Users\jacky> Install-Module Convert-Etl2Pcapng -Force -AcceptLicense
PS D:\Users\jacky> Get-Module -ListAvailable Convert-Etl2Pcapng


    Directory: D:\Program Files\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     2020.5.14  Convert-Etl2Pcapng                  {Register-Etl2Pcapng, Unregister-Etl2Pcapng, Convert-Etl2P...


PS D:\Users\jacky> Register-Etl2Pcapng
PS D:\Users\jacky>

** Step3. Convert Etl to Pcapng **

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
PS D:\demo> netsh trace start capture=yes tracefile=D:\demo\trace.etl report=dis
File "D:\demo\trace.etl" already exists.
One or more parameters for the command are not correct or missing.
See 'trace start help' for detailed help.

PS D:\demo> netsh trace start capture=yes tracefile=D:\demo\trace.etl report=dis

Trace configuration:
-------------------------------------------------------------------
Status:             Running
Trace File:         D:\demo\trace.etl
Append:             Off
Circular:           On
Max Size:           250 MB
Report:             Disabled

PS D:\demo> Start-Sleep 1
PS D:\demo> Clear-DnsClientCache
PS D:\demo> ping cloudflare.com

Pinging cloudflare.com [104.17.176.85] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 104.17.176.85:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PS D:\demo> Start-Sleep 3
PS D:\demo> netsh trace stop
Correlating traces ... done
Merging traces ... done
File location = D:\demo\trace.etl
Tracing session was successfully stopped.

PS D:\demo>

Convert Etl 2 pcapng

Convert Etl 2 pcapng completed

open it in Wireshark

HTH. 2020-July-20 By Jacky