none
Netmon ETL questions RRS feed

  • Question

  • Hi,

    I am trying to properly understand how network monitor
    breaks down a *.ETL file (and a netmon capture).

    What does it mean when I see.

    NetEvent ActivityID 2 - NDIS-PackageCapture
    NetEvent ActivityID 3 - NDIS-PackageCapture

    etc.


    Is there a good site that documents Microsoft Network monitor (
    or a good book) that somebody can recommend?

    Thanks,

    Ward.

     

    Friday, November 2, 2012 7:37 AM

All replies

  • Hi Ward,

    I'm assuming you're talking about the 'Network Conversations' window?  That shows higher level groups of messages.  If you click the plus sign next to them you can drill down and eventually see the conversations of messages between different machines.

    If you're looking for resources on Network Monitor, the best place to check out is our Blog: http://blogs.technet.com/b/netmon/.  I'd also suggest looking at out Message Analyzer Beta as that's the successor to Network Monitor we're working on.

    Thanks,


    Michael Hawker | Program Manager | Network Monitor

    Friday, November 2, 2012 9:48 PM
    Moderator
  • BTW, ETL traces from NetSh are often automatically correlated.  Components can be writen to send information across component boundaries so that trace information from two different providers can be correlated.  When you load an ETL file, we show you a converation view that exposes those correlations.  The traffic for a specifci Activity ID should be related in that they should share data that is in common for the given activity.

    Paul

    Monday, November 12, 2012 4:07 PM