1ETWDUMP(1)                                                          ETWDUMP(1)
2
3
4

NAME

6       etwdump - Provide an interface to read ETW
7

SYNOPSIS

9       etwdump [ --help ] [ --version ] [ --extcap-interfaces ]
10       [ --extcap-dlts ] [ --extcap-interface=<interface> ]
11       [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ]
12       [ --iue=<Should undecidable events be included> ]
13       [ --etlfile=<etl file> ] [ --params=<filter parameters> ]
14

DESCRIPTION

16       etwdump is a extcap tool that provides access to a etl file. It is only
17       used to display event trace on Windows.
18

OPTIONS

20       --help
21
22           Print program arguments.
23
24       --version
25
26           Print program version.
27
28       --extcap-interfaces
29
30           List available interfaces.
31
32       --extcap-interface=<interface>
33
34           Use specified interfaces.
35
36       --extcap-dlts
37
38           List DLTs of specified interface.
39
40       --extcap-config
41
42           List configuration options of specified interface.
43
44       --capture
45
46           Start capturing from specified interface save saved it in place
47           specified by --fifo.
48
49       --fifo=<path to file or pipe>
50
51           Save captured packet to file or send it through pipe.
52
53       --iue=<Should undecidable events be included>
54
55           Choose if the undecidable event is included.
56
57       --etlfile=<Etl file>
58
59           Select etl file to display in Wireshark.
60
61       --params=<filter parameters>
62
63           Input providers, keyword and level filters for the etl file and
64           live session.
65

EXAMPLES

67       To see program arguments:
68
69           etwdump --help
70
71       To see program version:
72
73           etwdump --version
74
75       To see interfaces:
76
77           etwdump --extcap-interfaces
78
79       Example output
80
81           interface {value=etwdump}{display=ETW reader}
82
83       To see interface DLTs:
84
85           etwdump --extcap-interface=etwdump --extcap-dlts
86
87       Example output
88
89           dlt {number=1}{name=etwdump}{display=DLT_ETW}
90
91       To see interface configuration options:
92
93           etwdump --extcap-interface=etwdump --extcap-config
94
95       Example output
96
97           arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture}
98           arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}
99           arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}
100
101       To capture:
102
103           etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
104
105           Note
106           To stop capturing CTRL+C/kill/terminate application.
107

SEE ALSO

109       wireshark(1), tshark(1), dumpcap(1), extcap(4)
110

NOTES

112       etwdump is part of the Wireshark distribution. The latest version of
113       Wireshark can be found at https://www.wireshark.org.
114
115       HTML versions of the Wireshark project man pages are available at
116       https://www.wireshark.org/docs/man-pages.
117

AUTHORS

119       Original Author
120       Odysseus Yang L
121       wiresharkyyh@outlook.com
122
123
124
125                                  2021-11-25                        ETWDUMP(1)
Impressum