SYNOPSIS
etwdump [ --help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --iue=<Should undecidable events be included> ] [ --etlfile=<etl file> ] [ --params=<filter parameters> ]
DESCRIPTION
etwdump is a extcap tool that provides access to a etl file. It is only used to display event trace on Windows.
OPTIONS
- --help
- 
Print program arguments. 
- --version
- 
Print program version. 
- --extcap-interfaces
- 
List available interfaces. 
- --extcap-interface=<interface>
- 
Use specified interfaces. 
- --extcap-dlts
- 
List DLTs of specified interface. 
- --extcap-config
- 
List configuration options of specified interface. 
- --capture
- 
Start capturing from specified interface save saved it in place specified by --fifo. 
- --fifo=<path to file or pipe>
- 
Save captured packet to file or send it through pipe. 
- --iue=<Should undecidable events be included>
- 
Choose if the undecidable event is included. 
- --etlfile=<Etl file>
- 
Select etl file to display in Wireshark. 
- --params=<filter parameters>
- 
Input providers, keyword and level filters for the etl file and live session. 
EXAMPLES
To see program arguments:
etwdump --help
To see program version:
etwdump --version
To see interfaces:
etwdump --extcap-interfaces
interface {value=etwdump}{display=ETW reader}
To see interface DLTs:
etwdump --extcap-interface=etwdump --extcap-dlts
dlt {number=1}{name=etwdump}{display=DLT_ETW}
To see interface configuration options:
etwdump --extcap-interface=etwdump --extcap-config
arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture}
arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}
arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}
To capture:
etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
| Note | To stop capturing CTRL+C/kill/terminate application. | 
NOTES
etwdump is part of the Wireshark distribution. The latest version of Wireshark can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at https://www.wireshark.org/docs/man-pages.
AUTHORS
Odysseus Yang L<wiresharkyyh@outlook.com>