R0 CREW

Winshark is a wireshark plugin to work with Event Tracing for Windows

Winshark is based on a libpcap backend to capture ETW (Event tracing for Windows), and a generator that will produce all dissectors for known ETW providers on your machine. We’ve added Tracelogging support to cover almost all log techniques on the Windows Operating System.

With Winshark and the power of Windows, we can now capture Network and Event Logs in the same tool. Windows exposes a lot of ETW providers, in particular one for network capture. No more need for an external NDIS driver.

This is a huge improvement in terms of use:

  • Enable to mix all kind of events (system and network)
  • Enable to use Wireshark filtering on event log
  • Enable to track network and system logs by Process ID!!!
  • Enable to capture Windows log and network trace into an unique pcap file!!!
  • Capture NamedPipe through NpEtw file system filter driver

If you want to:

Example

You can capture process-id and thread-id for each packet with Winshark, a Wireshark extension.

image