File: //usr/share/wireshark/etwdump.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.16">
<title>etwdump(1)</title>
<link rel="stylesheet" href="./ws.css">
</head>
<body class="manpage">
<div id="header">
<h1>etwdump(1) Manual Page</h1>
<h2 id="_name">NAME</h2>
<div class="sectionbody">
<p>etwdump - Provide an interface to read ETW</p>
</div>
</div>
<div id="content">
<div class="sect1">
<h2 id="_synopsis">SYNOPSIS</h2>
<div class="sectionbody">
<div class="paragraph">
<p><span class="nowrap"><strong>etwdump</strong></span>
<span class="nowrap">[ <strong>--help</strong> ]</span>
<span class="nowrap">[ <strong>--version</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-interfaces</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-dlts</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-interface</strong>=<interface> ]</span>
<span class="nowrap">[ <strong>--extcap-config</strong> ]</span>
<span class="nowrap">[ <strong>--capture</strong> ]</span>
<span class="nowrap">[ <strong>--fifo</strong>=<path to file or pipe> ]</span>
<span class="nowrap">[ <strong>--iue</strong>=<Should undecidable events be included> ]</span>
<span class="nowrap">[ <strong>--etlfile</strong>=<etl file> ]</span>
<span class="nowrap">[ <strong>--params</strong>=<filter parameters> ]</span></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_description">DESCRIPTION</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>etwdump</strong> is a extcap tool that provides access to a etl file.
It is only used to display event trace on Windows.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_options">OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">--help</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print program arguments.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--version</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print program version.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-interfaces</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List available interfaces.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-interface=<interface></dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Use specified interfaces.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-dlts</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List DLTs of specified interface.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-config</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List configuration options of specified interface.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--capture</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Start capturing from specified interface save saved it in place specified by --fifo.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--fifo=<path to file or pipe></dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Save captured packet to file or send it through pipe.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--iue=<Should undecidable events be included></dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Choose if the undecidable event is included.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--etlfile=<Etl file></dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Select etl file to display in Wireshark.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--params=<filter parameters></dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Input providers, keyword and level filters for the etl file and live session.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_examples">EXAMPLES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To see program arguments:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --help</pre>
</div>
</div>
<div class="paragraph">
<p>To see program version:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --version</pre>
</div>
</div>
<div class="paragraph">
<p>To see interfaces:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --extcap-interfaces</pre>
</div>
</div>
<div class="literalblock">
<div class="title">Example output</div>
<div class="content">
<pre>interface {value=etwdump}{display=ETW reader}</pre>
</div>
</div>
<div class="paragraph">
<p>To see interface DLTs:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --extcap-interface=etwdump --extcap-dlts</pre>
</div>
</div>
<div class="literalblock">
<div class="title">Example output</div>
<div class="content">
<pre>dlt {number=1}{name=etwdump}{display=DLT_ETW}</pre>
</div>
</div>
<div class="paragraph">
<p>To see interface configuration options:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --extcap-interface=etwdump --extcap-config</pre>
</div>
</div>
<div class="literalblock">
<div class="title">Example output</div>
<div class="content">
<pre>arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture}
arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}
arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}</pre>
</div>
</div>
<div class="paragraph">
<p>To capture:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"</pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
To stop capturing CTRL+C/kill/terminate application.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_see_also">SEE ALSO</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="wireshark.html">wireshark</a>(1), <a href="tshark.html">tshark</a>(1), <a href="dumpcap.html">dumpcap</a>(1), <a href="extcap.html">extcap</a>(4)</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_notes">NOTES</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>etwdump</strong> is part of the <strong>Wireshark</strong> distribution. The latest version
of <strong>Wireshark</strong> can be found at <a href="https://www.wireshark.org" class="bare">https://www.wireshark.org</a>.</p>
</div>
<div class="paragraph">
<p>HTML versions of the Wireshark project man pages are available at
<a href="https://www.wireshark.org/docs/man-pages" class="bare">https://www.wireshark.org/docs/man-pages</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_authors">AUTHORS</h2>
<div class="sectionbody">
<div class="paragraph">
<div class="title">Original Author</div>
<p>Odysseus Yang L<<a href="mailto:wiresharkyyh@outlook.com">wiresharkyyh@outlook.com</a>></p>
</div>
</div>
</div>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2022-03-04 16:13:20 UTC
</div>
</div>
</body>
</html>