Applies to:
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

If you are like most administrators, when looking at network traces, you probably use Netmon and Wireshark or just Wireshark.

So when you went thru collecting a network trace using the built-in command netsh trace as described in Network tracing (packet sniffing) built-in to Windows Server 2008 R2 and Windows Server 2012.

You noticed that the output is in Event Trace Log (ETL format (.etl)) and couldn’t load it in Wireshark.  With the Microsoft Message Analyzer Beta 3 that is resolved.

 

Launch image

image

Click on “Quick Open”

image

Browse to the folder where the .etl file is located.

Note:  Normally at C:\Users\YourUserProfile\AppData\Local\Temp\NetTraces\

 

image

Click on “Open”

Once the network trace is open.

image

Click on “File” and click on “Save As”

image

Select “All Messages”

Click on “Export”

image

Select the folder that you want to save it in.

Note:  By default c:\users\YourUserProfile\My Documents\MessageAnalyzer\Traces

Click on “Save”

Now you could load the .cap file in Wireshark.