pktmon etl2pcap
Convert pktmon log file to pcapng format. Dropped packets are not included by default. These logs can be analyzed using Wireshark (or any pcapng analyzer).
Syntax
pktmon etl2pcap <file> [--out <name>] [--drop-only] [--component-id <id>]
Where <file> is the ETL file to convert.
Parameters
| Parameter | Description |
|---|---|
| -o, --out <name> | Name of the formatted pcapng file. |
| -d, --drop-only | Convert dropped packets only. |
| -c, --component-id <id> | Filter packets by a specific component ID. |
Output filtering
All information about the packet drop reports and packet flow through the networking stack is lost in pcapng format output. Log contents should be carefully prefiltered to show the complete conversion. For example:
- Pcapng format doesn't distinguish between a flowing packet and a dropped packet. To separate all the packets in the capture from dropped packets, generate two pcapng files; one that contains all the packets (
pktmon etl2pcap log.etl --out log-capture.etl), and another that contains only dropped packets (pktmon etl2pcap log.etl --drop-only --out log-drop.etl). This way you're able to analyze the dropped packets in a separate log. - Pcapng format doesn't distinguish between different networking components where a packet was captured. For such multilayered scenarios, specify the desired component ID in the pcapng output
pktmon etl2pcap log.etl --component-id 5. Repeat this command for each set of component IDs that you're interested in.