How to consume real-time ETW events from the Microsoft-Windows-NDIS-PacketCapture provider?

Question

The larger question is how to consume real-time ETW network stack events in general but I\'m particularly interested in the Microsoft-Windows-NDIS-PacketCapture provider

Answer 1

If you look into what the "netsh trace" commands do internally you'll see they attach an NDIS lightweight filter driver to the various network interfaces. Only with this filter attached and activated will you get events from this provider. The details of this facility are undocumented and subject to change. All the logic of the netsh trace commands is implemented in nettrace.dll which you can reverse engineer with the assistance of Microsoft's public symbols. Specifically, the CInboxCapture class has code which determines whether the driver has been started, binds it to appropriate network interfaces and starts it. If you start the capturing filter driver the way nettrace.dll does, you'll get your packet capture events.

Good luck.

Answer 2

Instead of running netsh trace start etc. you could try this:

net start ndiscap

When running netsh trace etc. it will do this for you, and I think that's the missing part here, that the lightweight filter driver which is injected into ndis to capture packets (i.e. the etw provider) is not running and emitting events.

When you are finished you can stop it using:

net stop ndiscap

Answer 3

For what it's worth, I did find one example of a real-time ETW consumer (the example is for IIS web server): http://blogs.iis.net/eokim/archive/2009/05/15/consume-iis-etw-tracing.aspx

Answer 4

Here's a commented c++ example application that demonstrates simultaneous real-time ETW sessions for packet capture and kernel events.

https://github.com/packetzero/etwrealtime