How to consume real-time ETW events from the Microsoft-Windows-NDIS-PacketCapture provider?

Question

The larger question is how to consume real-time ETW network stack events in general but I\'m particularly interested in the Microsoft-Windows-NDIS-PacketCapture provider

Answer 1

Instead of running netsh trace start etc. you could try this:

net start ndiscap

When running netsh trace etc. it will do this for you, and I think that's the missing part here, that the lightweight filter driver which is injected into ndis to capture packets (i.e. the etw provider) is not running and emitting events.

When you are finished you can stop it using:

net stop ndiscap