From 36e834b6b7996f75097505e88c6de5bafd42248a Mon Sep 17 00:00:00 2001
From: Odysseus Yang <wiresharkyyh@outlook.com>
Date: Thu, 13 Jan 2022 10:54:01 -0800
Subject: ETW: Extract IP packets from Windows event trace

With this change, Wireshark will be enhanced to display IP packets from an event trace logfile
or an event trace live session.
---
 doc/etwdump.adoc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'doc')

diff --git a/doc/etwdump.adoc b/doc/etwdump.adoc
index 0ceba79e4c..f386c95e61 100644
--- a/doc/etwdump.adoc
+++ b/doc/etwdump.adoc
@@ -27,8 +27,8 @@ etwdump - Provide an interface to read Event Tracing for Windows (ETW)
 
 == DESCRIPTION
 
-*etwdump* is a extcap tool that provides access to a etl file.
-It is only used to display event traces on Windows.
+*etwdump* is a extcap tool that provides access to a event trace log file or an event trace live session.
+It is only used to display event trace on Windows that includes readable text message and different protocols (like MBIM and IP packets).
 
 == OPTIONS
 
@@ -134,6 +134,7 @@ To see interface configuration options:
 To capture:
 
     etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
+    etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-NDIS-PacketCapture"
 
 NOTE: To stop capturing CTRL+C/kill/terminate the application.
 
-- 
cgit v1.2.3