seguridad/2.- Ejercicios/reto_seguridad/capturas/WiresharkPortable64/App/Wireshark/etwdump.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.17">
<title>etwdump(1)</title>
<link rel="stylesheet" href="./ws.css">
</head>
<body class="manpage">
<div id="header">
<h1>etwdump(1) Manual Page</h1>
<h2 id="_name">NAME</h2>
<div class="sectionbody">
<p>etwdump - Provide an interface to read Event Tracing for Windows (ETW)</p>
</div>
</div>
<div id="content">
<div class="sect1">
<h2 id="_synopsis">SYNOPSIS</h2>
<div class="sectionbody">
<div class="paragraph">
<p><span class="nowrap"><strong>etwdump</strong></span>
<span class="nowrap">[ <strong>--help</strong> ]</span>
<span class="nowrap">[ <strong>--version</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-interfaces</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-dlts</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-interface</strong>=&lt;interface&gt; ]</span>
<span class="nowrap">[ <strong>--extcap-config</strong> ]</span>
<span class="nowrap">[ <strong>--capture</strong> ]</span>
<span class="nowrap">[ <strong>--fifo</strong>=&lt;path to file or pipe&gt; ]</span>
<span class="nowrap">[ <strong>--iue</strong>=&lt;Should undecidable events be included&gt; ]</span>
<span class="nowrap">[ <strong>--etlfile</strong>=&lt;etl file&gt; ]</span>
<span class="nowrap">[ <strong>--params</strong>=&lt;filter parameters&gt; ]</span></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_description">DESCRIPTION</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>etwdump</strong> is a extcap tool that provides access to a event trace log file or an event trace live session.
It is only used to display event trace on Windows that includes readable text message and different protocols (like MBIM and IP packets).</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_options">OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">--help</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print program arguments.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--version</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print program version.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-interfaces</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List available interfaces.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-interface=&lt;interface&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Use specified interfaces.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-dlts</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List DLTs of specified interface.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-config</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List configuration options of specified interface.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--capture</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Start capturing from specified interface save saved it in place specified by --fifo.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--fifo=&lt;path to file or pipe&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Save captured packet to file or send it through pipe.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--iue=&lt;Should undecidable events be included&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Choose if the undecidable event is included.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--etlfile=&lt;Etl file&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Select etl file to display in Wireshark.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--params=&lt;filter parameters&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Input providers, keyword and level filters for the etl file and live session.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_examples">EXAMPLES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To see program arguments:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --help</pre>
</div>
</div>
<div class="paragraph">
<p>To see program version:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --version</pre>
</div>
</div>
<div class="paragraph">
<p>To see interfaces:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --extcap-interfaces</pre>
</div>
</div>
<div class="literalblock">
<div class="title">Example output</div>
<div class="content">
<pre>interface {value=etwdump}{display=ETW reader}</pre>
</div>
</div>
<div class="paragraph">
<p>To see interface DLTs:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --extcap-interface=etwdump --extcap-dlts</pre>
</div>
</div>
<div class="literalblock">
<div class="title">Example output</div>
<div class="content">
<pre>dlt {number=1}{name=etwdump}{display=DLT_ETW}</pre>
</div>
</div>
<div class="paragraph">
<p>To see interface configuration options:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --extcap-interface=etwdump --extcap-config</pre>
</div>
</div>
<div class="literalblock">
<div class="title">Example output</div>
<div class="content">
<pre>arg {number=0}{call=--etlfile}{display=etl file}{type=fileselect}{tooltip=Select etl file to display in Wireshark}{group=Capture}
arg {number=1}{call=--params}{display=filter parmeters}{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}
arg {number=2}{call=--iue}{display=Should undecidable events be included}{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}</pre>
</div>
</div>
<div class="paragraph">
<p>To capture:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-wmbclass --k=0xff --l=4"
etwdump --extcap-interface etwdump --fifo=/tmp/etw.pcapng --capture --params "--p=Microsoft-Windows-Wmbclass-Opn --p=Microsoft-Windows-NDIS-PacketCapture"</pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
To stop capturing CTRL+C/kill/terminate the application.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_see_also">SEE ALSO</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="wireshark.html">wireshark</a>(1), <a href="tshark.html">tshark</a>(1), <a href="dumpcap.html">dumpcap</a>(1), <a href="extcap.html">extcap</a>(4)</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_notes">NOTES</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>etwdump</strong> is part of the <strong>Wireshark</strong> distribution.  The latest version
of <strong>Wireshark</strong> can be found at <a href="https://www.wireshark.org" class="bare">https://www.wireshark.org</a>.</p>
</div>
<div class="paragraph">
<p>HTML versions of the Wireshark project man pages are available at
<a href="https://www.wireshark.org/docs/man-pages" class="bare">https://www.wireshark.org/docs/man-pages</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_authors">AUTHORS</h2>
<div class="sectionbody">
<div class="paragraph">
<div class="title">Original Author</div>
<p>Odysseus Yang &lt;<a href="mailto:wiresharkyyh@outlook.com">wiresharkyyh@outlook.com</a>&gt;</p>
</div>
</div>
</div>
</div>
</body>
</html>