Wireshark • Display Filter Reference: Event Tracing for Windows

Display Filter Reference: Event Tracing for Windows

Protocol field name: etw

Versions: 3.6.0 to 4.6.0

Field name	Description	Type	Versions
etw.activity_id	Activity ID	Globally Unique Identifier	3.6.0 to 4.6.0
etw.buffer_context.alignment	Alignment	Unsigned integer (8 bits)	3.6.0 to 4.6.0
etw.buffer_context.logger_id	ID	Unsigned integer (16 bits)	3.6.0 to 4.6.0
etw.buffer_context.processor_number	Processor Number	Unsigned integer (8 bits)	3.6.0 to 4.6.0
etw.descriptor.channel	Channel	Unsigned integer (8 bits)	3.6.0 to 4.6.0
etw.descriptor.id	ID	Unsigned integer (16 bits)	3.6.0 to 4.6.0
etw.descriptor.keywords	Keywords	Unsigned integer (64 bits)	3.6.0 to 4.6.0
etw.descriptor.level	Level	Unsigned integer (8 bits)	3.6.0 to 4.6.0
etw.descriptor.opcode	Opcode	Unsigned integer (8 bits)	3.6.0 to 4.6.0
etw.descriptor.task	Task	Unsigned integer (16 bits)	3.6.0 to 4.6.0
etw.descriptor.version	Version	Unsigned integer (8 bits)	3.6.0 to 4.6.0
etw.event_property	Event Property	Unsigned integer (16 bits)	3.6.0 to 4.6.0
etw.flags	Flags	Unsigned integer (16 bits)	3.6.0 to 4.6.0
etw.header.flag.32_bit_header	32-bit Header	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header.flag.64_bit_header	64-bit Header	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header.flag.classic_header	Classic Header	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header.flag.decode_guid	Decode GUID	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header.flag.extended_info	Extended Info	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header.flag.no_cputime	No CPU time	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header.flag.private_session	Private Session	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header.flag.processor_index	Processor Index	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header.flag.string_only	String Only	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header.flag.trace_message	Trace Message	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.header_type	Header Type	Unsigned integer (16 bits)	3.6.0 to 4.6.0
etw.message	Event Message	Character string	3.6.0 to 4.6.0
etw.message_length	Message Length	Unsigned integer (32 bits)	3.6.0 to 4.6.0
etw.process_id	Process ID	Unsigned integer (32 bits)	3.6.0 to 4.6.0
etw.processor_time	Processor Time	Unsigned integer (64 bits)	3.6.0 to 4.6.0
etw.property.forwarded_xml	Forwarded XML	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.property.legacy_event	Legacy Event Log	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.property.legacy_reloggable	Legacy Reloggable	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.property.xml	XML	Unsigned integer (32 bits)	4.4.0 to 4.6.0
etw.provider_id	Provider ID	Globally Unique Identifier	3.6.0 to 4.6.0
etw.provider_name	Provider Name	Character string	3.6.0 to 4.6.0
etw.provider_name_length	Provider Name Length	Unsigned integer (32 bits)	3.6.0 to 4.6.0
etw.size	Size	Unsigned integer (16 bits)	3.6.0 to 4.6.0
etw.thread_id	Thread ID	Unsigned integer (32 bits)	3.6.0 to 4.6.0
etw.time_stamp	Time Stamp	Unsigned integer (64 bits)	3.6.0 to 4.6.0
etw.user_data_length	User Data Length	Unsigned integer (32 bits)	3.6.0 to 4.6.0