diff options
Diffstat (limited to 'doc/etwdump.adoc')
| -rw-r--r-- | doc/etwdump.adoc | 46 |
1 files changed, 7 insertions, 39 deletions
diff --git a/doc/etwdump.adoc b/doc/etwdump.adoc index 92fa2ae83e..4798c54930 100644 --- a/doc/etwdump.adoc +++ b/doc/etwdump.adoc @@ -1,4 +1,4 @@ -include::../docbook/attributes.adoc[] +include::attributes.adoc[] = etwdump(1) :doctype: manpage :stylesheet: ws.css @@ -7,7 +7,7 @@ include::../docbook/attributes.adoc[] == NAME -etwdump - Provide an interface to read ETW +etwdump - Provide an interface to read Event Tracing for Windows (ETW) == SYNOPSIS @@ -27,76 +27,43 @@ etwdump - Provide an interface to read ETW == DESCRIPTION -*etwdump* is a extcap tool that provides access to a etl file. -It is only used to display event trace on Windows. +*etwdump* is a extcap tool that provides access to a event trace log file or an event trace live session. +It is only used to display event trace on Windows that includes readable text message and different protocols (like MBIM and IP packets). == OPTIONS --help:: -+ --- Print program arguments. --- --version:: -+ --- Print program version. --- --extcap-interfaces:: -+ --- List available interfaces. --- --extcap-interface=<interface>:: -+ --- Use specified interfaces. --- --extcap-dlts:: -+ --- List DLTs of specified interface. --- --extcap-config:: -+ --- List configuration options of specified interface. --- --capture:: -+ --- Start capturing from specified interface save saved it in place specified by --fifo. --- --fifo=<path to file or pipe>:: -+ --- Save captured packet to file or send it through pipe. --- --iue=<Should undecidable events be included>:: -+ --- Choose if the undecidable event is included. --- --etlfile=<Etl file>:: -+ --- Select etl file to display in Wireshark. --- --params=<filter parameters>:: -+ --- Input providers, keyword and level filters for the etl file and live session. --- == EXAMPLES @@ -134,8 +101,9 @@ To see interface configuration options: To capture: etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4" + etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-NDIS-PacketCapture" -NOTE: To stop capturing CTRL+C/kill/terminate application. +NOTE: To stop capturing CTRL+C/kill/terminate the application. == SEE ALSO @@ -153,4 +121,4 @@ https://www.wireshark.org/docs/man-pages. .Original Author [%hardbreaks] -Odysseus Yang L<wiresharkyyh@outlook.com> +Odysseus Yang <wiresharkyyh@outlook.com> |