Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
ETWDUMP(1)							    ETWDUMP(1)

NAME
       etwdump - Provide an interface to read Event Tracing for	Windows	(ETW)

SYNOPSIS
       etwdump [ --help	] [ --version ]	[ --extcap-interfaces ]
       [ --extcap-dlts ] [ --extcap-interface=<interface> ]
       [ --extcap-config ] [ --capture ] [ --fifo=<path	to file	or pipe> ]
       [ --iue=<Should undecidable events be included> ]
       [ --etlfile=<etl	file> ]	[ --params=<filter parameters> ]

DESCRIPTION
       etwdump is a extcap tool	that provides access to	a event	trace log file
       or an event trace live session. It is only used to display event	trace
       on Windows that includes	readable text message and different protocols
       (like MBIM and IP packets).

OPTIONS
       --help
	   Print program arguments.

       --version
	   Print program version.

       --extcap-interfaces
	   List	available interfaces.

       --extcap-interface=<interface>
	   Use specified interfaces.

       --extcap-dlts
	   List	DLTs of	specified interface.

       --extcap-config
	   List	configuration options of specified interface.

       --capture
	   Start capturing from	specified interface save saved it in place
	   specified by	--fifo.

       --fifo=<path to file or pipe>
	   Save	captured packet	to file	or send	it through pipe.

       --iue=<Should undecidable events	be included>
	   Choose if the undecidable event is included.

       --etlfile=<Etl file>
	   Select etl file to display in Wireshark.

       --params=<filter	parameters>
	   Input providers, keyword and	level filters for the etl file and
	   live	session.

EXAMPLES
       To see program arguments:

	   etwdump --help

       To see program version:

	   etwdump --version

       To see interfaces:

	   etwdump --extcap-interfaces

       Example output

	   interface {value=etwdump}{display=ETW reader}

       To see interface	DLTs:

	   etwdump --extcap-interface=etwdump --extcap-dlts

       Example output

	   dlt {number=1}{name=etwdump}{display=DLT_ETW}

       To see interface	configuration options:

	   etwdump --extcap-interface=etwdump --extcap-config

       Example output

	   arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl	file to	display	in Wireshark}{group=Capture}
	   arg {number=1}{call=--params}{display=filter	parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and	live session}{group=Capture}
	   arg {number=2}{call=--iue}{display=Should undecidable events	be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}

       To capture:

	   etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params	"--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
	   etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params	"--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-NDIS-PacketCapture"

	   Note

	   To stop capturing CTRL+C/kill/terminate the application.

SEE ALSO
       wireshark(1), tshark(1),	dumpcap(1), extcap(4)

NOTES
       etwdump is part of the Wireshark	distribution. The latest version of
       Wireshark can be	found at https://www.wireshark.org.

       HTML versions of	the Wireshark project man pages	are available at
       https://www.wireshark.org/docs/man-pages.

AUTHORS
       Original	Author
       Odysseus	Yang
       wiresharkyyh@outlook.com

				  2025-02-24			    ETWDUMP(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=etwdump&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help