ETW: Extract IP packets from Windows event trace

With this change, Wireshark will be enhanced to display IP packets from an event trace logfile or an event trace live session.
author: Odysseus Yang <wiresharkyyh@outlook.com> 2022-01-13 10:54:01 -0800
committer: A Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org> 2022-05-05 13:35:47 +0000
commit: 36e834b6b7996f75097505e88c6de5bafd42248a (patch)
tree: 37eacac14755666088ac08a2529edb1300985e3d /doc
parent: 0f5025eae44d14dc39b69d1ea47f6ea96d46e332 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/doc/etwdump.adoc b/doc/etwdump.adoc
index 0ceba79e4c..f386c95e61 100644
--- a/doc/etwdump.adoc
+++ b/doc/etwdump.adoc
@@ -27,8 +27,8 @@ etwdump - Provide an interface to read Event Tracing for Windows (ETW)
 
 == DESCRIPTION
 
-*etwdump* is a extcap tool that provides access to a etl file.
-It is only used to display event traces on Windows.
+*etwdump* is a extcap tool that provides access to a event trace log file or an event trace live session.
+It is only used to display event trace on Windows that includes readable text message and different protocols (like MBIM and IP packets).
 
 == OPTIONS
 
@@ -134,6 +134,7 @@ To see interface configuration options:
 To capture:
 
     etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
+    etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-NDIS-PacketCapture"
 
 NOTE: To stop capturing CTRL+C/kill/terminate the application.
author	Odysseus Yang <wiresharkyyh@outlook.com>	2022-01-13 10:54:01 -0800
committer	A Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org>	2022-05-05 13:35:47 +0000
commit	36e834b6b7996f75097505e88c6de5bafd42248a (patch)
tree	37eacac14755666088ac08a2529edb1300985e3d /doc
parent	0f5025eae44d14dc39b69d1ea47f6ea96d46e332 (diff)