I was faced with a difficult situation where I had to find a why a SentinelOne agent will not communicate with the management portal for some reason. I ran the troubleshooting script which generated many files and among them there was a packet captured file as we can see below:

0fad76db3e96df7164af9a12905f0beb.png

We can use the etl2pcapng.exe to convert the log files into the pcap file. The executable for the application is in the reference section a54389c92e244660a84ec0998e4c0d9b.png

After the converstion, we can now open the pcap file with wireshark. 0c304be6aaf5bd56cbcbbf57fa9f2da6.png

reference#

https://github.com/microsoft/etl2pcapng