Last active
December 26, 2019 00:46
-
-
Save mschmitt/552c2421c3cb0f0344edeadd0605a85e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I've played a bit with that ETL format and found a way to convert it into a hexdump format that imports into Wireshark super cleanly, with missing timestamps as the only drawback. | |
| Be sure to override the Packet Capture Provider's truncation limit as described below. | |
| Convert the Event Trace Log to XML: | |
| tracerpt trace.etl -> Will write dumpfile.xml | |
| Extract the Fragment contents from the XML file: | |
| xmlstarlet sel -N 'ns=http://schemas.microsoft.com/win/2004/08/events/event' -t -m 'Events' -v 'ns:Event/ns:EventData/ns:Data[@Name="Fragment"]' < dumpfile.xml > bytes.txt | |
| Convert the bytewise dump into something resembling a hexdump: | |
| sed -e 's/\(..\)/\1 /g' -e 's/^0x/000000/' < bytes.txt > hexdump.txt | |
| Use Wireshark's hexdump import, all defaults, or use text2pcap to convert: | |
| text2pcap hexdump.txt windows.cap | |
| -- | |
| Notes to self: | |
| New-NetEventSession -name "Trace" -LocalFilePath c:\Users\$env:USERNAME\Desktop\trace.etl | |
| Add-NetEventPacketCaptureProvider -TruncationLength 9999 -sessionname Trace | |
| Start-NetEventSession -name Trace | |
| Get-NetEventSession # (to see status) | |
| Stop-NetEventSession -name Trace | |
| Remove-NetEventPacketCaptureProvider -sessionname Trace | |
| Remove-NetEventSession -name Trace |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment