Wireshark plugin to work with Event Tracing for Windows

Microsoft Message Analyzer is being retired and its download packages were removed from microsoft.com sites on November 25, 2019. Wireshark has built a huge library of network protocol dissectors. The best tool for Windows would be one that can gather and mix all types of logs…

Welcome Winshark!!!

Winshark is based on a libpcap backend to capture ETW (Event tracing for Windows), and a generator that will produce all dissectors for known ETW providers on your machine. We’ve added Tracelogging support to cover almost all log techniques on the Windows Operating System.

With Winshark and the power of Windows, we can now capture Network and Event Logs in the same tool. Windows exposes a lot of ETW providers, in particular one for network capture 😉 No more need for an external NDIS driver.

This is a huge improvement in terms of use:

  • Enable to mix all kind of events (system and network)
  • Enable to use of Wireshark filtering on event log
  • Enable to track network and system logs by Process ID!!!
  • Enable to capture Windows log and network trace into a unique pcap file!!!
  • Capture NamedPipe through NpEtw file system filter driver

If you want to:

Wireshark before. Then just install Winshark.

Currently, you have to ask Wireshark to interpret the DLT_USER 147 as ETW. This is because you have not yet a true value from libpcap for our new Data Link. We issued a pull request to have a dedicated DLT value; it is still pending. To do that you have to open Preferences tab under the Edit panel. Select DLT_USER under Protocols and Edit the encapsulations table:

And set etw for DLT = 147 :


WPP or TraceLogging logs.

That will start the packet capture:

Filtering on the process ID

ETW marks each packet with a header that sets some metadata about the sender. One of these is the Process IDof the emitter. This is a huge improvement from a classic packet capture from an NDIS driver. Simply fill the filter field of Wireshark with the following expression:

etw.header.ProcessId == 1234 

Capturing NamedPipe

@kobykahane provides a file system filter driver that emits an ETW for every action performed on a NamedPipe.

  • NpEtwSetup.msi
  • Reboot
  • Update Winshark dissector by double-clicking C:Program FilesWiresharkWinsharkUpdate.bat with Admin rights

SSTIC (Symposium sur la sécurité des technologies de l’information et des communications)

This project is part of a presentation made for SSTIC