Applies to:
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

If you are like most administrators, when looking at network traces, you probably use Netmon and Wireshark or just Wireshark.

So when you went thru collecting a network trace using the built-in command netsh trace as described in Network tracing (packet sniffing) built-in to Windows Server 2008 R2 and Windows Server 2012.

You noticed that the output is in Event Trace Log (ETL format (.etl)) and couldn’t load it in Wireshark.  With the Microsoft Message Analyzer Beta 3 that is resolved.


Launch image


Click on “Quick Open”


Browse to the folder where the .etl file is located.

Note:  Normally at C:\Users\YourUserProfile\AppData\Local\Temp\NetTraces\



Click on “Open”

Once the network trace is open.


Click on “File” and click on “Save As”


Select “All Messages”

Click on “Export”


Select the folder that you want to save it in.

Note:  By default c:\users\YourUserProfile\My Documents\MessageAnalyzer\Traces

Click on “Save”

Now you could load the .cap file in Wireshark.