So you want to use Wireshark to read the netsh trace output .etl?

So you want to use Wireshark to read the netsh trace output .etl?

  • Comments 1
  • Likes

Applies to:
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

If you are like most administrators, when looking at network traces, you probably use Netmon and Wireshark or just Wireshark.

So when you went thru collecting a network trace using the built-in command netsh trace as described in Network tracing (packet sniffing) built-in to Windows Server 2008 R2 and Windows Server 2012.

You noticed that the output is in Event Trace Log (ETL format (.etl)) and couldn’t load it in Wireshark.  With the Microsoft Message Analyzer Beta 3 that is resolved.


Launch image


Click on “Quick Open”


Browse to the folder where the .etl file is located.

Note:  Normally at C:\Users\YourUserProfile\AppData\Local\Temp\NetTraces\



Click on “Open”

Once the network trace is open.


Click on “File” and click on “Save As”


Select “All Messages”

Click on “Export”


Select the folder that you want to save it in.

Note:  By default c:\users\YourUserProfile\My Documents\MessageAnalyzer\Traces

Click on “Save”

Now you could load the .cap file in Wireshark.

  • Q:  My question is, if I have a bunch of ETL files I want to convert, is there any way I can script this on the command line? It seems like the only way to do it is through the GUI, which will take forever...



    A:  Hi Tim, yes, using Powershell.

    If you want to add more etl traces to the Message Analyzer PowerShell session then you need to add them to Add-PefMessageProvider cmdlet with full etl paths with comma separated.


    $s = New-PefTraceSession -Path “C:\users\Yong\documents\OutFile.Cap” -SaveOnStop

    $s | Add-PefMessageProvider -Provider “C:\users\Yong\documents\Input.etl”

    $s | Start-PefTraceSession

    Note:  Full paths to the .etl are required.

    Note 2:  Watch out for the – (elongated dash) instead of the -.



Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment