Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AssertionError when converting traces from Windows Server 2019 created by NetEventPacketCapture #1

Open
peterschen opened this issue May 13, 2021 · 4 comments
Open

AssertionError when converting traces from Windows Server 2019 created by NetEventPacketCapture #1

peterschen opened this issue May 13, 2021 · 4 comments

Comments

@peterschen
Copy link

netsh traces on certain builds of Windows Server 2019 did not contain any packets. I've started to use NetEventPacketCapture to take captures on these builds. etl2pcapng can convert them but I'd love to have a utility I can use on Linux.

When converting traces created by NetEventPacketCapture I get the following Error:

[*] reading etl file captures_diag--600d-jkhg-2021-05-13-09-36.etl in memory...
[*] looking for etl frames...
Traceback (most recent call last):
  File "/home/cbpetersen/bin/etl2pcap.py", line 219, in <module>
    main()
  File "/home/cbpetersen/bin/etl2pcap.py", line 52, in main
    etl_to_pcap(args.etl, args.pcap)
  File "/home/cbpetersen/bin/etl2pcap.py", line 119, in etl_to_pcap
    for t, data in etl_frames(etl_data):
  File "/home/cbpetersen/bin/etl2pcap.py", line 96, in etl_frames
    assert(frag_size == ev_left)
AssertionError
@aaptel
Copy link
Owner

aaptel commented May 14, 2021

Can you provide a buggy trace (as small as possible)?

@peterschen
Copy link
Author

Apologies for the delay. captures_diag--600d-54pf-2021-05-19-16-52.zip shows the described behavior.

@peterschen
Copy link
Author

@aaptel Did that trace help?

@manorit2001
Copy link

I also got the same error, when trace was started as netsh trace start traceFile=log.etl capture=yes

[*] reading etl file ../logs/log.etl in memory...
[*] looking for etl frames...
WMI 0x0
EV 0x48
EV 0x1d8
WMI 0x80000
EV 0x80048
EV 0x80098
EV 0x80108
EV 0x80170
EV 0x801b0
EV 0x80218
EV 0x80288
EV 0x802f8
EV 0x80358
EV 0x803b0
EV 0x80420
EV 0x80470
EV 0x804d8
EV 0x80518
EV 0x80568
EV 0x80c38
Traceback (most recent call last):
  File "/home/user/Projects/malware-analysis/clean-analysis/analysis/etl2pcap/etl2pcap.py", line 219, in <module>
    main()
  File "/home/user/Projects/malware-analysis/clean-analysis/analysis/etl2pcap/etl2pcap.py", line 52, in main
    etl_to_pcap(args.etl, args.pcap)
  File "/home/user/Projects/malware-analysis/clean-analysis/analysis/etl2pcap/etl2pcap.py", line 119, in etl_to_pcap
    for t, data in etl_frames(etl_data):
  File "/home/user/Projects/malware-analysis/clean-analysis/analysis/etl2pcap/etl2pcap.py", line 96, in etl_frames
    assert(frag_size == ev_left)
AssertionError

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peterschen @aaptel @manorit2001