Wireshark · Display Filter Reference: Event Tracing for Windows

Display Filter Reference: Event Tracing for Windows

Protocol field name: etw

Versions: 3.6.0 to 3.6.5

Field name	Description	Type	Versions
etw.activity_id	Activity ID	Globally Unique Identifier	3.6.0 to 3.6.5
etw.buffer_context.alignment	Alignment	Unsigned integer, 1 byte	3.6.0 to 3.6.5
etw.buffer_context.logger_id	ID	Unsigned integer, 2 bytes	3.6.0 to 3.6.5
etw.buffer_context.processor_number	Processor Number	Unsigned integer, 1 byte	3.6.0 to 3.6.5
etw.descriptor.channel	Channel	Unsigned integer, 1 byte	3.6.0 to 3.6.5
etw.descriptor.id	ID	Unsigned integer, 2 bytes	3.6.0 to 3.6.5
etw.descriptor.keywords	Keywords	Unsigned integer, 8 bytes	3.6.0 to 3.6.5
etw.descriptor.level	Level	Unsigned integer, 1 byte	3.6.0 to 3.6.5
etw.descriptor.opcode	Opcode	Unsigned integer, 1 byte	3.6.0 to 3.6.5
etw.descriptor.task	Task	Unsigned integer, 2 bytes	3.6.0 to 3.6.5
etw.descriptor.version	Version	Unsigned integer, 1 byte	3.6.0 to 3.6.5
etw.event_property	Event Property	Unsigned integer, 2 bytes	3.6.0 to 3.6.5
etw.flags	Flags	Unsigned integer, 2 bytes	3.6.0 to 3.6.5
etw.header_type	Header Type	Unsigned integer, 2 bytes	3.6.0 to 3.6.5
etw.message	Event Message	Character string	3.6.0 to 3.6.5
etw.message_length	Message Length	Unsigned integer, 4 bytes	3.6.0 to 3.6.5
etw.process_id	Process ID	Unsigned integer, 4 bytes	3.6.0 to 3.6.5
etw.processor_time	Processor Time	Unsigned integer, 8 bytes	3.6.0 to 3.6.5
etw.provider_id	Provider ID	Globally Unique Identifier	3.6.0 to 3.6.5
etw.provider_name	Provider Name	Character string	3.6.0 to 3.6.5
etw.provider_name_length	Provider Name Length	Unsigned integer, 4 bytes	3.6.0 to 3.6.5
etw.size	Size	Unsigned integer, 2 bytes	3.6.0 to 3.6.5
etw.thread_id	Thread ID	Unsigned integer, 4 bytes	3.6.0 to 3.6.5
etw.time_stamp	Time Stamp	Unsigned integer, 8 bytes	3.6.0 to 3.6.5
etw.user_data_length	User Data Length	Unsigned integer, 4 bytes	3.6.0 to 3.6.5