Winshark: wireshark plugin to instrument ETW
Winshark
Wireshark plugin to work with Event Tracing for Windows
Microsoft Message Analyzer is being retired and its download packages were removed from microsoft.com sites on November 25, 2019. Wireshark has built a huge library of network protocol dissectors. The best tool for Windows would be one that can gather and mix all types of logs…
Winshark is based on a libpcap backend to capture ETW (Event tracing for Windows), and a generator that will produce all dissectors for known ETW providers on your machine. We’ve added Tracelogging support to cover almost all log techniques on the Windows Operating System.
With Winshark and the power of Windows, we can now capture Network and Event Logs in the same tool. Windows exposes a lot of ETW providers, in particular one for network capture 😉 No more need for an external NDIS driver.
This is a huge improvement in terms of use:
- Enable to mix all kinds of events (system and network)
- Enable to use Wireshark filtering on event log
- Enable to track network and system logs by Process ID!!!
- Enable to capture Windows log and network trace into a unique pcap file!!!
- Capture NamedPipe through NpEtw file system filter driver
How does it work
To better understand how Winshark works, we need to understand how ETW works first.
ETW is splitted into three parts:
- A Provider that will emit log and be identified by a unique ID
- A Session that will mix one or more providers
- A Consumer that will read logs emitted by a session
Provider
There is a lot of different kinds of providers. The most common, and usable, are registred providers. A registred provider, or a manifest-based provider, is recorded under the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers. This makes the link between a provider ID and a dll. The manifest is encompassed into the associated dll into a resource name WEVT_TEMPLATE.
You can list all providers registred on your machine usinglogman :
logman query providers
You can also list all providers bound by a particular process:
logman query providers -pid 1234
Some of them could appear without a name; these kinds of providers can produce WPP or TraceLogging logs.
Session
Sessions are created to collect logs from more than one provider. You can create your own session usinglogman:
logman start Mysession -p “Microsoft-Windows-RemoteDesktopServices-RdpCoreTS” -ets -rt
logman update MySession -p “Microsoft-Windows-NDIS-PacketCapture” -ets -rt
You can list all active sessions from an admin command line:
logman query -ets
Data Collector Set Type Status
——————————————————————————-
…
EventLog-Application Trace Running
EventLog-Microsoft-Windows-Sysmon-Operational Trace Running
EventLog-System Trace Running
…
The command completed successfully.
You can see here some interesting sessions used by the event logger to capture logs from Application and System sessions and from Sysmon.
Consumer
A consumer is a simple program that will read logs from a session. Well-known consumers are:
- Event Logger
- logman
- netsh
- tracert
And now Winshark!!! Winshark is a simple ETW consumer. The real underlying consumer is libpcap, (wpcap.dll for Windows) which is used by dumpcap.exe which is the process in charge of packet capture.