etwdump - Provide an interface to read ETW
etwdump [ --help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --iue=<Should undecidable events be included> ] [ --etlfile=<etl file> ] [ --params=<filter parameters> ]
ETWDUMP(1) ETWDUMP(1) NAME etwdump - Provide an interface to read ETW SYNOPSIS etwdump [ --help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --iue=<Should undecidable events be included> ] [ --etlfile=<etl file> ] [ --params=<filter parameters> ] DESCRIPTION etwdump is a extcap tool that provides access to a etl file. It is only used to display event trace on Windows. OPTIONS --help Print program arguments. --version Print program version. --extcap-interfaces List available interfaces. --extcap-interface=<interface> Use specified interfaces. --extcap-dlts List DLTs of specified interface. --extcap-config List configuration options of specified interface. --capture Start capturing from specified interface save saved it in place specified by --fifo. --fifo=<path to file or pipe> Save captured packet to file or send it through pipe. --iue=<Should undecidable events be included> Choose if the undecidable event is included. --etlfile=<Etl file> Select etl file to display in Wireshark. --params=<filter parameters> Input providers, keyword and level filters for the etl file and live session. EXAMPLES To see program arguments: etwdump --help To see program version: etwdump --version To see interfaces: etwdump --extcap-interfaces Example output interface {value=etwdump}{display=ETW reader} To see interface DLTs: etwdump --extcap-interface=etwdump --extcap-dlts Example output dlt {number=1}{name=etwdump}{display=DLT_ETW} To see interface configuration options: etwdump --extcap-interface=etwdump --extcap-config Example output arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture} arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture} arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture} To capture: etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4" Note To stop capturing CTRL+C/kill/terminate application. ATTRIBUTES See attributes(7) for descriptions of the following attributes: +---------------+---------------------------------------+ |ATTRIBUTE TYPE | ATTRIBUTE VALUE | +---------------+---------------------------------------+ |Availability | diagnostic/wireshark/wireshark-common | +---------------+---------------------------------------+ |Stability | Uncommitted | +---------------+---------------------------------------+ SEE ALSO wireshark(1), tshark(1), dumpcap(1), extcap(4) NOTES etwdump is part of the Wireshark distribution. The latest version of Wireshark can be found at https://www.wireshark.org. HTML versions of the Wireshark project man pages are available at https://www.wireshark.org/docs/man-pages. Source code for open source software components in Oracle Solaris can be found at https://www.oracle.com/downloads/opensource/solaris-source- code-downloads.html. This software was built from source available at https://github.com/oracle/solaris-userland. The original community source was downloaded from http://www.wireshark.org/download/src/all- versions/wireshark-3.6.6.tar.xz. Further information about this software can be found on the open source community website at http://www.wireshark.org/. AUTHORS Original Author Odysseus Yang L wiresharkyyh@outlook.com ETWDUMP(1)