1ETWDUMP(1)                                                          ETWDUMP(1)
2
3
4

NAME

6       etwdump - Provide an interface to read Event Tracing for Windows (ETW)
7

SYNOPSIS

9       etwdump [ --help ] [ --version ] [ --extcap-interfaces ]
10       [ --extcap-dlts ] [ --extcap-interface=<interface> ]
11       [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ]
12       [ --iue=<Should undecidable events be included> ]
13       [ --etlfile=<etl file> ] [ --params=<filter parameters> ]
14

DESCRIPTION

16       etwdump is a extcap tool that provides access to a event trace log file
17       or an event trace live session. It is only used to display event trace
18       on Windows that includes readable text message and different protocols
19       (like MBIM and IP packets).
20

OPTIONS

22       --help
23
24           Print program arguments.
25
26       --version
27
28           Print program version.
29
30       --extcap-interfaces
31
32           List available interfaces.
33
34       --extcap-interface=<interface>
35
36           Use specified interfaces.
37
38       --extcap-dlts
39
40           List DLTs of specified interface.
41
42       --extcap-config
43
44           List configuration options of specified interface.
45
46       --capture
47
48           Start capturing from specified interface save saved it in place
49           specified by --fifo.
50
51       --fifo=<path to file or pipe>
52
53           Save captured packet to file or send it through pipe.
54
55       --iue=<Should undecidable events be included>
56
57           Choose if the undecidable event is included.
58
59       --etlfile=<Etl file>
60
61           Select etl file to display in Wireshark.
62
63       --params=<filter parameters>
64
65           Input providers, keyword and level filters for the etl file and
66           live session.
67

EXAMPLES

69       To see program arguments:
70
71           etwdump --help
72
73       To see program version:
74
75           etwdump --version
76
77       To see interfaces:
78
79           etwdump --extcap-interfaces
80
81       Example output
82
83           interface {value=etwdump}{display=ETW reader}
84
85       To see interface DLTs:
86
87           etwdump --extcap-interface=etwdump --extcap-dlts
88
89       Example output
90
91           dlt {number=1}{name=etwdump}{display=DLT_ETW}
92
93       To see interface configuration options:
94
95           etwdump --extcap-interface=etwdump --extcap-config
96
97       Example output
98
99           arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture}
100           arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}
101           arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}
102
103       To capture:
104
105           etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
106           etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-NDIS-PacketCapture"
107
108           Note
109           To stop capturing CTRL+C/kill/terminate the application.
110

SEE ALSO

112       wireshark(1), tshark(1), dumpcap(1), extcap(4)
113

NOTES

115       etwdump is part of the Wireshark distribution. The latest version of
116       Wireshark can be found at https://www.wireshark.org.
117
118       HTML versions of the Wireshark project man pages are available at
119       https://www.wireshark.org/docs/man-pages.
120

AUTHORS

122       Original Author
123       Odysseus Yang L
124       wiresharkyyh@outlook.com
125
126
127
128                                  2022-12-08                        ETWDUMP(1)
Impressum