How to consume real-time ETW events from the Microsoft-Windows-NDIS-PacketCapture provider?

Question

The larger question is how to consume real-time ETW network stack events in general but I\'m particularly interested in the Microsoft-Windows-NDIS-PacketCapture provider

Answer 1

If you look into what the "netsh trace" commands do internally you'll see they attach an NDIS lightweight filter driver to the various network interfaces. Only with this filter attached and activated will you get events from this provider. The details of this facility are undocumented and subject to change. All the logic of the netsh trace commands is implemented in nettrace.dll which you can reverse engineer with the assistance of Microsoft's public symbols. Specifically, the CInboxCapture class has code which determines whether the driver has been started, binds it to appropriate network interfaces and starts it. If you start the capturing filter driver the way nettrace.dll does, you'll get your packet capture events.

Good luck.