First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to capture etw.* data by Wireshark?

  • retag add tags

I found that there are 3 etw filter at filter reference page: https://www.wireshark.org/docs/dfref/.... But how to capture etw data/events by Wireshark? If I can't, what does these filters do?

etw: Event Tracing for Windows (3.6.0 to 4.0.3, 25 fields)

etw.ndis: ETW Ndis (2.6.0 to 4.0.3, 95 fields)

etw.wfp_capture: ETW WFP Capture (2.6.0 to 4.0.3, 10 fields)

Huang's avatar
3
Huang
asked 2023-01-22 04:53:04 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Microsoft example for etwdump external capture interface:
Analyzing Mobile Broadband Logs in Wireshark

A list of providers - logman query providers (e.g. --p=Microsoft-Windows-Kernel-EventTracing) - to make a capture.

Chuckc's avatar
3k
Chuckc
answered 2023-01-22 06:01:31 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you.

Huang's avatar Huang (2023-01-22 06:29:13 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer