Wireshark plugin to work with Event Tracing for Windows
Microsoft Message Analyzer is being retired and its download packages were removed from microsoft.com sites on November 25 2019.
Wireshark have built a huge library of network protocol dissectors.
The best tool for Windows would be one that can gather and mix all type of logs...
Winshark is based on a
libpcap backend to capture ETW (Event tracing for Windows), and a generator that will produce all dissectors for known ETW providers on your machine.
We've added Tracelogging support to cover almost all log techniques on the Windows Operating System.
With Winshark and the power of Windows, we can now capture Network and Event Logs in the same tool. Windows exposes a lot of ETW providers, in particular one for network capture ;-) No more need for an external NDIS driver.
If you want to:
Currently, you have to ask
Wireshark to interpret the DLT_USER 147 as ETW. This is because you have not yet a true value from
libpcap for our new Data Link.
We issued a pull request to have a dedicated DLT value; it is still pending.
To do that you have to open
Preferences tab under the
Edit panel. Select
Edit the encapsulations table:
DLT = 147 :
Winshark is powered by
git clone https://github.com/airbus-cert/winshark --recursive mkdir build_winshark cd build_winshark cmake ..\Winshark cmake --build . --target package --config release
To better understand how Winshark works, we need to understand how ETW works first.
ETW is splitted into three parts:
There is a lot of different kinds of providers. The most common, and usable, are registred providers. A registred provider, or a manifest-based provider, is recorded under the registry key
This makes the link between a provider ID and a dll. The manifest is encompassed into the associated dll into a resource name
You can list all providers registred on your machine using
logman query providers
You can also list all providers bound by a particular process:
logman query providers -pid 1234
Sessions are created to collect logs from more than one provider.
You can create your own session using
logman start Mysession -p "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" -ets -rt logman update MySession -p "Microsoft-Windows-NDIS-PacketCapture" -ets -rt
You can list all active sessions from an admin command line:
logman query -ets Data Collector Set Type Status ------------------------------------------------------------------------------- ... EventLog-Application Trace Running EventLog-Microsoft-Windows-Sysmon-Operational Trace Running EventLog-System Trace Running ... The command completed successfully.
You can see here some interesting session use by the event logger to capture logs from Application and System sessions and from Sysmon.
A consumer is a simple program that will read logs from a session. Well-known consumers are:
Winshark is a simple ETW consumer. The real underlying consumer is
wpcap.dll for Windows) which is used by
dumpcap.exe which is the process in charge of packet capture.
Wireshark is split in three parts (yes, him too):
Wireshark.exewhich is in charge of parsing and dissecting protocols
dumpcap.exewhich is in charge of capturing packets
wpcap.dll) which is in charge of interfacing between
dumpcap.exeand the Operating System
Winshark takes place in the first and last parts. It implements a backend for
libpcap to capture ETW events.
Winshark works on ETW sessions, this is why you can select an ETW session in place of Network interface at the start of capture.
lua dissectors for each manifest-based provider registred on your computer, during the installation step.
Winshark is also able to parse tracelogging-based providers.
To capture network traffic using
Winshark, you have to simply activate network tracing through
netsh.exe trace start capture=yes report=no correlation=no
And then create an ETW session associated with the
logman start Winshark-PacketCapture -p "Microsoft-Windows-NDIS-PacketCapture" -rt -ets
Wireshark with administrator privileges and select the
That will start the packet capture:
ETW marks each packet with a header that sets some metadata about the sender.
One of these is the
Process ID of the emitter. This is a huge improvement from a classic packet capture from an NDIS driver.
Simply fill the filter field of Wireshark with the following expression:
etw.header.ProcessId == 1234
bcdedit /set testsigning on
Winsharkdissector by double clicking
sc start NpEtw
logman start namedpipe -p NpEtw -ets -rt
Wiresharkand select the
This project is part of a presentation made for SSTIC