From 1f0572cd492c83aa710aca4c5a13de3beb66f7d3 Mon Sep 17 00:00:00 2001 From: Jedihy Date: Wed, 10 Feb 2021 11:43:32 -0800 Subject: [PATCH] Update README.md --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7335ae9..40020a4 100644 --- a/README.md +++ b/README.md @@ -8,9 +8,11 @@ as an ETW trace provider. Due to performance problems with the other popular pac method (WinPcap, which was included with older versions of Wireshark), ndiscap should be preferred. A capture can be collected with: +``` netsh trace start capture=yes report=disabled - + netsh trace stop +``` The file generated by ndiscap is an etl file, which can be opened by ETW-centric tools like Microsoft Message Analyzer, but cannot be opened by Wireshark, which is the preferred @@ -23,7 +25,9 @@ Prebuilt binaries are available in the Releases section: https://github.com/micr Run the tool with: +``` etl2pcapng.exe in.etl out.pcapng +``` After converting the file, the tool prints a table which shows mappings between Windows interface indices and pcapng interface IDs. @@ -39,9 +43,11 @@ this in mind when using the PID information. Run in the src directory in a Visual Studio Command Prompt: +``` msbuild -t:rebuild -p:configuration=release -p:platform=win32 msbuild -t:rebuild -p:configuration=release -p:platform=x64 +``` # History