2021-06-18 10:20:51 +00:00
= etwdump(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
== NAME
2020-12-02 09:05:11 +00:00
etwdump - Provide an interface to read ETW
2021-06-18 10:20:51 +00:00
== SYNOPSIS
[manarg]
*etwdump*
[ *--help* ]
[ *--version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--iue*=<Should undecidable events be included> ]
[ *--etlfile*=<etl file> ]
[ *--params*=<filter parameters> ]
== DESCRIPTION
*etwdump* is a extcap tool that provides access to a etl file.
2020-12-02 09:05:11 +00:00
It is only used to display event trace on Windows.
2021-06-18 10:20:51 +00:00
== OPTIONS
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--help::
+
--
2020-12-02 09:05:11 +00:00
Print program arguments.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--version::
+
--
2020-12-02 09:05:11 +00:00
Print program version.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--extcap-interfaces::
+
--
2020-12-02 09:05:11 +00:00
List available interfaces.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--extcap-interface=<interface>::
+
--
2020-12-02 09:05:11 +00:00
Use specified interfaces.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--extcap-dlts::
+
--
2020-12-02 09:05:11 +00:00
List DLTs of specified interface.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--extcap-config::
+
--
2020-12-02 09:05:11 +00:00
List configuration options of specified interface.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--capture::
+
--
2020-12-02 09:05:11 +00:00
Start capturing from specified interface save saved it in place specified by --fifo.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--fifo=<path to file or pipe>::
+
--
2020-12-02 09:05:11 +00:00
Save captured packet to file or send it through pipe.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--iue=<Should undecidable events be included>::
+
--
2020-12-02 09:05:11 +00:00
Choose if the undecidable event is included.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--etlfile=<Etl file>::
+
--
2020-12-02 09:05:11 +00:00
Select etl file to display in Wireshark.
2021-06-18 10:20:51 +00:00
--
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
--params=<filter parameters>::
+
--
2021-01-11 18:45:24 +00:00
Input providers, keyword and level filters for the etl file and live session.
2021-06-18 10:20:51 +00:00
--
2021-01-11 18:45:24 +00:00
2021-06-18 10:20:51 +00:00
== EXAMPLES
2020-12-02 09:05:11 +00:00
To see program arguments:
etwdump --help
To see program version:
etwdump --version
To see interfaces:
etwdump --extcap-interfaces
Example output:
interface {value=etwdump}{display=ETW reader}
To see interface DLTs:
etwdump --extcap-interface=etwdump --extcap-dlts
Example output:
dlt {number=1}{name=etwdump}{display=DLT_ETW}
To see interface configuration options:
etwdump --extcap-interface=etwdump --extcap-config
Example output:
2021-01-11 18:45:24 +00:00
arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture}
arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}
arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}
2020-12-02 09:05:11 +00:00
To capture:
2021-01-11 18:45:24 +00:00
etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
2020-12-02 09:05:11 +00:00
NOTE: To stop capturing CTRL+C/kill/terminate application.
2021-06-18 10:20:51 +00:00
== SEE ALSO
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4)
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
== NOTES
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
*etwdump* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
2020-12-02 09:05:11 +00:00
HTML versions of the Wireshark project man pages are available at:
2021-06-18 10:20:51 +00:00
https://www.wireshark.org/docs/man-pages.
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
== AUTHORS
2020-12-02 09:05:11 +00:00
2021-06-18 10:20:51 +00:00
.Original Author
[%hardbreaks]
Odysseus Yang L<wiresharkyyh@outlook.com>