This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 83%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
The method of using
netsh trace start provider=Microsoft-Windows-SMBClient
saving as pcap in NetMon doesn't produce decrypted traffic.
Described at Plugfest https://www.youtube.com/watch?v=aGG7cpLxdfQ
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 52%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hi Lilia,
Thank you for your request. One of our team members will review this and follow-up with you soon.
Regards,
Kristian S
Support Escalation Engineer
Microsoft Open Specifications
Hello Lilia,
You need to use Message Analyzer to view the decrypted traffic; NetMon does not know how to interpret the ETW events containing the decrypted data. Among other things, the data in the ETW trace file is just the SMB data without any TCP/IP headers.
It is possible to write a tool to extract the plaintext SMB data from an ETW trace and save it in a pcap/pcapng format (with faked TCP/IP headers); this allows Wireshark to be used to analyze the packets.
Gary
Message Analyzer is no longer supported and NetMon can convert ETL file into PCAP, regular SMB traffic is preserved just fine, but the decrypted remains decrypted.
Replace "decrypted" with "encrypted" of course.
Hello Lilia,
Yes, Message Analyzer is discontinued. NetMon can read (and interpret) some types of .etl data representing network packets, but not the SMB data in events from the Microsoft-Windows-SMBClient provider.
Message Analyzer is still available from some of the "time travel" (snapshots of the web from past times) web sites.
Gary
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOF%3C/text%3E%3C/svg%3E)
This issue is now resolved. The poster was provided with the latest copy of Message Analyzer.
For the latest copy of Message Analyzer, please send an email to dochelp at Microsoft dot com.
Regards,
Obaid Farooqi - MSFT