locked
Real-time display of ETWevents/NetEvents in Netmon 3.3 RRS feed

  • Question

  • Hi,
    I have instrumented a component to generate ETW traces, with which I use logman to capture the traces in an .etl file. I have also written parsers with NPL to parse the trace and I can use "Open Capture" to open the .etl file and everything shows up fine.

    Now, my question is, is there a way to configure NetMon to display the events in realtime instead of capturing the traces thro' .etl and opening it offline? (For example, NetMon displays realtime IP/TCP messages in the "Frame Summary" window. I would like to know if this real time display facility can be enabled for NetEvents)

    Thank you.
    (PS: I am in love with Netmon and NPL :))
    Thursday, September 24, 2009 9:52 PM

Answers

  • Hi abn337,

    Unfortunately, Network Monitor doesn't have this capability.  We realized we could add support to read etl files through NPL and enabled this scenario, but we still only use an NDIS driver to capture network traffic.  We don't have any hooks into the ETW events right now to do this realtime display.

    However, you could theoretically retrieve your events using the ETW API.  It's not my area of experience, but if you could retrieve the raw data of the event, then there's nothing which would prevent you from using our API to parse it using your NPL, but at that point you could probably just grab the data you need from the event itself.

    We'll be sure to keep these scenarios in mind as we move ahead in the future, but currently we've still been focused more on real-time network capturing.  Thank you for your input.

    I hope you continue to enjoy using Network Monitor and don't forget to look for the latest parsers on CodePlex.

    Michael Hawker | Program Manager | Network Monitor
    • Marked as answer by Paul E Long Friday, September 25, 2009 5:44 PM
    Friday, September 25, 2009 12:27 AM