FreeBSD Manual Pages
ETWDUMP(1) ETWDUMP(1) NAME etwdump - Provide an interface to read Event Tracing for Windows (ETW) SYNOPSIS etwdump [ --help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --iue=<Should undecidable events be included> ] [ --etlfile=<etl file> ] [ --params=<filter parameters> ] DESCRIPTION etwdump is a extcap tool that provides access to a event trace log file or an event trace live session. It is only used to display event trace on Windows that includes readable text message and different protocols (like MBIM and IP packets). OPTIONS --help Print program arguments. --version Print program version. --extcap-interfaces List available interfaces. --extcap-interface=<interface> Use specified interfaces. --extcap-dlts List DLTs of specified interface. --extcap-config List configuration options of specified interface. --capture Start capturing from specified interface save saved it in place specified by --fifo. --fifo=<path to file or pipe> Save captured packet to file or send it through pipe. --iue=<Should undecidable events be included> Choose if the undecidable event is included. --etlfile=<Etl file> Select etl file to display in Wireshark. --params=<filter parameters> Input providers, keyword and level filters for the etl file and live session. EXAMPLES To see program arguments: etwdump --help To see program version: etwdump --version To see interfaces: etwdump --extcap-interfaces Example output interface {value=etwdump}{display=ETW reader} To see interface DLTs: etwdump --extcap-interface=etwdump --extcap-dlts Example output dlt {number=1}{name=etwdump}{display=DLT_ETW} To see interface configuration options: etwdump --extcap-interface=etwdump --extcap-config Example output arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture} arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture} arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture} To capture: etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4" etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-NDIS-PacketCapture" Note To stop capturing CTRL+C/kill/terminate the application. SEE ALSO wireshark(1), tshark(1), dumpcap(1), extcap(4) NOTES etwdump is part of the Wireshark distribution. The latest version of Wireshark can be found at https://www.wireshark.org. HTML versions of the Wireshark project man pages are available at https://www.wireshark.org/docs/man-pages. AUTHORS Original Author Odysseus Yang wiresharkyyh@outlook.com 2025-02-24 ETWDUMP(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | NOTES | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=etwdump&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>