Wireshark · Display Filter Reference: Event Tracing for Windows

Display Filter Reference: Event Tracing for Windows

Protocol field name: etw

Versions: 3.6.0 to 4.0.3

Field name	Description	Type	Versions
etw.activity_id	Activity ID	Globally Unique Identifier	3.6.0 to 4.0.3
etw.buffer_context.alignment	Alignment	Unsigned integer (1 byte)	3.6.0 to 4.0.3
etw.buffer_context.logger_id	ID	Unsigned integer (2 bytes)	3.6.0 to 4.0.3
etw.buffer_context.processor_number	Processor Number	Unsigned integer (1 byte)	3.6.0 to 4.0.3
etw.descriptor.channel	Channel	Unsigned integer (1 byte)	3.6.0 to 4.0.3
etw.descriptor.id	ID	Unsigned integer (2 bytes)	3.6.0 to 4.0.3
etw.descriptor.keywords	Keywords	Unsigned integer (8 bytes)	3.6.0 to 4.0.3
etw.descriptor.level	Level	Unsigned integer (1 byte)	3.6.0 to 4.0.3
etw.descriptor.opcode	Opcode	Unsigned integer (1 byte)	3.6.0 to 4.0.3
etw.descriptor.task	Task	Unsigned integer (2 bytes)	3.6.0 to 4.0.3
etw.descriptor.version	Version	Unsigned integer (1 byte)	3.6.0 to 4.0.3
etw.event_property	Event Property	Unsigned integer (2 bytes)	3.6.0 to 4.0.3
etw.flags	Flags	Unsigned integer (2 bytes)	3.6.0 to 4.0.3
etw.header_type	Header Type	Unsigned integer (2 bytes)	3.6.0 to 4.0.3
etw.message	Event Message	Character string	3.6.0 to 4.0.3
etw.message_length	Message Length	Unsigned integer (4 bytes)	3.6.0 to 4.0.3
etw.process_id	Process ID	Unsigned integer (4 bytes)	3.6.0 to 4.0.3
etw.processor_time	Processor Time	Unsigned integer (8 bytes)	3.6.0 to 4.0.3
etw.provider_id	Provider ID	Globally Unique Identifier	3.6.0 to 4.0.3
etw.provider_name	Provider Name	Character string	3.6.0 to 4.0.3
etw.provider_name_length	Provider Name Length	Unsigned integer (4 bytes)	3.6.0 to 4.0.3
etw.size	Size	Unsigned integer (2 bytes)	3.6.0 to 4.0.3
etw.thread_id	Thread ID	Unsigned integer (4 bytes)	3.6.0 to 4.0.3
etw.time_stamp	Time Stamp	Unsigned integer (8 bytes)	3.6.0 to 4.0.3
etw.user_data_length	User Data Length	Unsigned integer (4 bytes)	3.6.0 to 4.0.3