Parser for Hyper-V vmSwitch, Not exist EventID 55

Jul 6, 2012 at 9:35 AM


I tried to capture data from a Microsoft Hyper-V V3 virtual switch. I used

netsh trace start scenario=InternetClient provider=Microsoft-Windows-Hyper-V-VmSwitch capture=yes capturetype=vmswitch

When I load the etl-file into network monitor and use the current parser version 3.4.2774, I cannot see the TCP traffic. Instead I see lots of NDIS packets like this:

3045 17:26:42 04.07.2012 3.5658375 NDISPacCap_MicrosoftWindowsNDISPacketCapture NDISPacCap_MicrosoftWindowsNDISPacketCapture:Not exist EventID {NDISPacCap_MicrosoftWindowsNDISPacketCapture:56, NetEvent:55}

I think the problem is the 

Not exist EventID 

Maybe I need a newer parser file for Windows 8 and Server 2012 captured packets?


Jul 6, 2012 at 4:02 PM

Problem solved.

After downloading the current version from the source code section and using these files all the packets were identified.

I had to tweak a few unresolved datatypes. But in the end it worked.

I hope there will be a new version out real soon, so it is easier to work with.