1ETWDUMP(1) ETWDUMP(1)
2
3
4
6 etwdump - Provide an interface to read Event Tracing for Windows (ETW)
7
9 etwdump [ --help ] [ --version ] [ --extcap-interfaces ]
10 [ --extcap-dlts ] [ --extcap-interface=<interface> ]
11 [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ]
12 [ --iue=<Should undecidable events be included> ]
13 [ --etlfile=<etl file> ] [ --params=<filter parameters> ]
14
16 etwdump is a extcap tool that provides access to a event trace log file
17 or an event trace live session. It is only used to display event trace
18 on Windows that includes readable text message and different protocols
19 (like MBIM and IP packets).
20
22 --help
23
24 Print program arguments.
25
26 --version
27
28 Print program version.
29
30 --extcap-interfaces
31
32 List available interfaces.
33
34 --extcap-interface=<interface>
35
36 Use specified interfaces.
37
38 --extcap-dlts
39
40 List DLTs of specified interface.
41
42 --extcap-config
43
44 List configuration options of specified interface.
45
46 --capture
47
48 Start capturing from specified interface save saved it in place
49 specified by --fifo.
50
51 --fifo=<path to file or pipe>
52
53 Save captured packet to file or send it through pipe.
54
55 --iue=<Should undecidable events be included>
56
57 Choose if the undecidable event is included.
58
59 --etlfile=<Etl file>
60
61 Select etl file to display in Wireshark.
62
63 --params=<filter parameters>
64
65 Input providers, keyword and level filters for the etl file and
66 live session.
67
69 To see program arguments:
70
71 etwdump --help
72
73 To see program version:
74
75 etwdump --version
76
77 To see interfaces:
78
79 etwdump --extcap-interfaces
80
81 Example output
82
83 interface {value=etwdump}{display=ETW reader}
84
85 To see interface DLTs:
86
87 etwdump --extcap-interface=etwdump --extcap-dlts
88
89 Example output
90
91 dlt {number=1}{name=etwdump}{display=DLT_ETW}
92
93 To see interface configuration options:
94
95 etwdump --extcap-interface=etwdump --extcap-config
96
97 Example output
98
99 arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture}
100 arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}
101 arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}
102
103 To capture:
104
105 etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
106 etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-NDIS-PacketCapture"
107
108 Note
109 To stop capturing CTRL+C/kill/terminate the application.
110
112 wireshark(1), tshark(1), dumpcap(1), extcap(4)
113
115 etwdump is part of the Wireshark distribution. The latest version of
116 Wireshark can be found at https://www.wireshark.org.
117
118 HTML versions of the Wireshark project man pages are available at
119 https://www.wireshark.org/docs/man-pages.
120
122 Original Author
123 Odysseus Yang L
124 wiresharkyyh@outlook.com
125
126
127
128 2022-12-08 ETWDUMP(1)