Skip to content
Utility that converts an .etl file containing a Windows network packet capture into .pcapng format.
C Batchfile
Branch: master
Clone or download
jp-stewart Adding support for NDIS Metadata blocks as comments in pcapng (#19)
- Adding support for NDIS Metadata blocks as comments in pcapng
- Correcting some comments, error messages, and variable types for consistency

Tested changes on two types of wlan adapters (nwifi & wdi) and on ethernet with two interfaces against wireshark version 3.2.0 for viewing pcapng files.
Latest commit 870232e Jan 29, 2020


Type Name Latest commit message Commit time
Failed to load latest commit information.
src Adding support for NDIS Metadata blocks as comments in pcapng (#19) Jan 29, 2020
.gitignore update gitignore to ignore release package (#13) Nov 27, 2019 Initial commit Sep 16, 2019
LICENSE Initial commit Sep 16, 2019 misc tweaks (#16) Jan 5, 2020 Initial commit Sep 16, 2019


This tool enables you to view ndiscap packet captures with Wireshark.

Windows ships with an inbox packet capture component called "ndiscap," which is implemented as an ETW trace provider. Due to performance problems with the other popular packet capture method (winpcap, which comes with Wireshark), ndiscap should be preferred. A capture can be collected with:

netsh trace start capture=yes report=disabled

netsh trace stop

The file generated by ndiscap is an etl file, which can be opened by ETW-centric tools like Microsoft Message Analyzer, but cannot be opened by Wireshark, which is the preferred tool for many engineers. Etl2pcapng.exe can convert the etl file to a pcapng file for opening with Wireshark.


Prebuilt binaries are available in the Releases section:

Run the tool with:

etl2pcapng.exe in.etl out.pcapng

After converting the file, the tool prints a table which shows mappings between Windows interface indices and pcapng interface IDs.

The output pcapng file will have a comment on each packet indicating the PID of the current process when the packet was logged. WARNING: this is frequently not the same as the actual PID of the process which caused the packet to be sent or to which the packet was delivered, since the packet capture provider often runs in a DPC (which runs in an arbitrary process). The user should keep this in mind when using the PID information.


Run in the src directory in a Visual Studio Command Prompt:

msbuild -t:rebuild -p:configuration=release -p:platform=win32

msbuild -t:rebuild -p:configuration=release -p:platform=x64


1.3.0 - Add a comment to each packet containing the process id (PID).

1.2.0 - Write direction info of each packet (epb_flags)

1.1.0 - Added support for multi-event packets found in traces from Win8 and older


This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact with any additional questions or comments.

You can’t perform that action at this time.