Wireshark mailing list archives

Re: Improving Network Monitor (and Message Analyzer) dissection supp

From: Michael Mann via Wireshark-dev <wireshark-dev () wireshark org>
Date: Tue, 12 Sep 2017 07:30:42 -0400



Yes that specific message type should work and you should get at least partial dissection.  The NetEvent structure 
contains the "ProviderID" which is the payload of the NetEvent.  Looking at the NPL source there is over 100 different 
ProviderIDs, so not all have been implemented in Wireshark, but hopefully I got a few of the popular ones.
If you have a capture file (.cap) that can't be read by Wireshark (or you want more ProviderIDs dissected), open a bug 
report in Bugzilla (https://bugs.wireshark.org) and attach the capture.
 
 
-----Original Message-----
From: Christopher Smith <Christopher.Smith () au gt com>
To: wireshark-dev <wireshark-dev () wireshark org>
Sent: Tue, Sep 12, 2017 2:18 am
Subject: Re: [Wireshark-dev] Improving Network Monitor (and Message Analyzer) dissection supp



For Michael Mann, thanks for your message dated “Sat, 9 Sep 2017 11:30:31 -0400” – and does it work for you now?  
Opening a *.cap exported out from – say – Message Analyzer?  Specifically, Media Type = “ETW provider message 
(NetEvent)”, Value = “0xFFe0”
 
https://technet.microsoft.com/en-us/library/mt146756.aspx


'Grant Thornton' refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory 
services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton Australia 
Ltd is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide 
partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL 
does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate one another and 
are not liable for one another’s acts or omissions. In the Australian context only, the use of the term 'Grant 
Thornton' may refer to Grant Thornton Australia Limited ABN 41 127 556 389 and its Australian subsidiaries and related 
entities. GTIL is not an Australian related entity to Grant Thornton Australia Limited. 



Liability limited by a scheme approved under Professional Standards Legislation.

Registered Office, Level 30, 525 Collins Street, Melbourne VIC 3000

DISCLAIMER
This email message and any related attachments are confidential and should only be read by those persons to whom they 
were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended 
recipient of this email, any use, copying or disclosure of this information is strictly prohibited. If you have 
received this email in error please notify the sender and delete this email immediately. Any confidentiality, privilege 
or copyright is not waived or lost because this email has been sent to you in error. Views expressed in this message 
are the views of the sender and are not necessarily views of Grant Thornton, except where the message expressly states 
otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written 
confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which 
may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus‐free. Grant Thornton 
accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its 
attachments to the recipient.



___________________________________________________________________________Sent via:    Wireshark-dev mailing list 
<wireshark-dev () wireshark org>Archives:    https://www.wireshark.org/lists/wireshark-devUnsubscribe: 
https://www.wireshark.org/mailman/options/wireshark-dev             mailto:wireshark-dev-request () wireshark 
org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Re: Improving Network Monitor (and Message Analyzer) dissection supp Christopher Smith (Sep 11)
- Re: Improving Network Monitor (and Message Analyzer) dissection supp Michael Mann via Wireshark-dev (Sep 12)