=begin man

=encoding utf8

=end man

=head1 NAME

etwdump - Provide an interface to read ETW

=head1 SYNOPSIS

B<etwdump>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--iue>=E<lt>Should undecidable events be includedE<gt> ]>
S<[ B<--etlfile>=E<lt>etl fileE<gt> ]>
S<[ B<--params>=E<lt>filter parametersE<gt> ]>

=head1 DESCRIPTION

B<etwdump> is a extcap tool that provides access to a etl file.
It is only used to display event trace on Windows.

=head1 OPTIONS

=over 4

=item --help

Print program arguments.

=item --version

Print program version.

=item --extcap-interfaces

List available interfaces.

=item --extcap-interface=E<lt>interfaceE<gt>

Use specified interfaces.

=item --extcap-dlts

List DLTs of specified interface.

=item --extcap-config

List configuration options of specified interface.

=item --capture

Start capturing from specified interface save saved it in place specified by --fifo.

=item --fifo=E<lt>path to file or pipeE<gt>

Save captured packet to file or send it through pipe.

=item --iue=E<lt>Should undecidable events be includedE<gt>

Choose if the undecidable event is included.

=item --etlfile=E<lt>Etl fileE<gt>

Select etl file to display in Wireshark.

=item --params=E<lt>filter parametersE<gt>

Input providers, keyword and level filters for the etl file and live session.

=back

=head1 EXAMPLES

To see program arguments:

    etwdump --help

To see program version:

    etwdump --version

To see interfaces:

    etwdump --extcap-interfaces

  Example output:
    interface {value=etwdump}{display=ETW reader}

To see interface DLTs:

    etwdump --extcap-interface=etwdump --extcap-dlts

  Example output:
    dlt {number=1}{name=etwdump}{display=DLT_ETW}

To see interface configuration options:

    etwdump --extcap-interface=etwdump --extcap-config

  Example output:
    arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture}
    arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}
    arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}

To capture:

    etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"

NOTE: To stop capturing CTRL+C/kill/terminate application.

=head1 SEE ALSO

wireshark(1), tshark(1), dumpcap(1), extcap(4)

=head1 NOTES

B<etwdump> is part of the B<Wireshark> distribution.  The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.

HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.

=head1 AUTHORS

  Original Author
  ---------------
  Odysseus Yang             L<wiresharkyyh@outlook.com>