forked from osmocom/wireshark
158 lines
3.4 KiB
Plaintext
158 lines
3.4 KiB
Plaintext
include::../docbook/attributes.adoc[]
|
|
= etwdump(1)
|
|
:doctype: manpage
|
|
:stylesheet: ws.css
|
|
:linkcss:
|
|
:copycss: ../docbook/{stylesheet}
|
|
|
|
== NAME
|
|
|
|
etwdump - Provide an interface to read Event Tracing for Windows (ETW)
|
|
|
|
== SYNOPSIS
|
|
|
|
[manarg]
|
|
*etwdump*
|
|
[ *--help* ]
|
|
[ *--version* ]
|
|
[ *--extcap-interfaces* ]
|
|
[ *--extcap-dlts* ]
|
|
[ *--extcap-interface*=<interface> ]
|
|
[ *--extcap-config* ]
|
|
[ *--capture* ]
|
|
[ *--fifo*=<path to file or pipe> ]
|
|
[ *--iue*=<Should undecidable events be included> ]
|
|
[ *--etlfile*=<etl file> ]
|
|
[ *--params*=<filter parameters> ]
|
|
|
|
== DESCRIPTION
|
|
|
|
*etwdump* is a extcap tool that provides access to a event trace log file or an event trace live session.
|
|
It is only used to display event trace on Windows that includes readable text message and different protocols (like MBIM and IP packets).
|
|
|
|
== OPTIONS
|
|
|
|
--help::
|
|
+
|
|
--
|
|
Print program arguments.
|
|
--
|
|
|
|
--version::
|
|
+
|
|
--
|
|
Print program version.
|
|
--
|
|
|
|
--extcap-interfaces::
|
|
+
|
|
--
|
|
List available interfaces.
|
|
--
|
|
|
|
--extcap-interface=<interface>::
|
|
+
|
|
--
|
|
Use specified interfaces.
|
|
--
|
|
|
|
--extcap-dlts::
|
|
+
|
|
--
|
|
List DLTs of specified interface.
|
|
--
|
|
|
|
--extcap-config::
|
|
+
|
|
--
|
|
List configuration options of specified interface.
|
|
--
|
|
|
|
--capture::
|
|
+
|
|
--
|
|
Start capturing from specified interface save saved it in place specified by --fifo.
|
|
--
|
|
|
|
--fifo=<path to file or pipe>::
|
|
+
|
|
--
|
|
Save captured packet to file or send it through pipe.
|
|
--
|
|
|
|
--iue=<Should undecidable events be included>::
|
|
+
|
|
--
|
|
Choose if the undecidable event is included.
|
|
--
|
|
|
|
--etlfile=<Etl file>::
|
|
+
|
|
--
|
|
Select etl file to display in Wireshark.
|
|
--
|
|
|
|
--params=<filter parameters>::
|
|
+
|
|
--
|
|
Input providers, keyword and level filters for the etl file and live session.
|
|
--
|
|
|
|
== EXAMPLES
|
|
|
|
To see program arguments:
|
|
|
|
etwdump --help
|
|
|
|
To see program version:
|
|
|
|
etwdump --version
|
|
|
|
To see interfaces:
|
|
|
|
etwdump --extcap-interfaces
|
|
|
|
.Example output
|
|
interface {value=etwdump}{display=ETW reader}
|
|
|
|
To see interface DLTs:
|
|
|
|
etwdump --extcap-interface=etwdump --extcap-dlts
|
|
|
|
.Example output
|
|
dlt {number=1}{name=etwdump}{display=DLT_ETW}
|
|
|
|
To see interface configuration options:
|
|
|
|
etwdump --extcap-interface=etwdump --extcap-config
|
|
|
|
.Example output
|
|
arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture}
|
|
arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}
|
|
arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}
|
|
|
|
To capture:
|
|
|
|
etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
|
|
etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-NDIS-PacketCapture"
|
|
|
|
NOTE: To stop capturing CTRL+C/kill/terminate the application.
|
|
|
|
== SEE ALSO
|
|
|
|
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4)
|
|
|
|
== NOTES
|
|
|
|
*etwdump* is part of the *Wireshark* distribution. The latest version
|
|
of *Wireshark* can be found at https://www.wireshark.org.
|
|
|
|
HTML versions of the Wireshark project man pages are available at
|
|
https://www.wireshark.org/docs/man-pages.
|
|
|
|
== AUTHORS
|
|
|
|
.Original Author
|
|
[%hardbreaks]
|
|
Odysseus Yang L<wiresharkyyh@outlook.com>
|