detection.wiki
Blog

Microsoft-Windows-NDIS-PacketCapture

20 events across 1 channel

Event IDTitleChannel
1001Packet Fragment (%3 bytes), MiniportIfIndex %1, LowerIfIndex %2.Diagnostic
1002Packet Metadata (%3 bytes).Diagnostic
1003VMSwitch Packet Fragment (%9 bytes), MiniportIfIndex %1, LowerIfIndex %2.Diagnostic
1011Capture Rules Count=.Diagnostic
1012Driver Loaded (FriendlyName=%1 UniqueName=%2 ServiceName=%3).Diagnostic
1013Driver Unloaded (FriendlyName=%1 UniqueName=%2 ServiceName=%3).Diagnostic
1014Attached to miniport interface %1 above layer interface %2 with media type %3 …Diagnostic
1015Detached from miniport interface %1 above layer interface %2 with media type %3 …Diagnostic
1016Capture Rule: Id=.Diagnostic
2001Driver load failed with status=.Diagnostic
2002FilterAttach failed with status=.Diagnostic
2003Received Invalid Capture Rule: Id=.Diagnostic
3001Entering state '.Diagnostic
3002Entering state '.Diagnostic
5000Rx Packet Processing StartDiagnostic
5001Rx Packet Processing CompleteDiagnostic
5002Tx Packet Processing StartDiagnostic
5003Tx Packet Processing CompleteDiagnostic
5100Rundown: %1: %2 - %3, %4, %5.Diagnostic
5101Event source: %1: %2, IfIndex: %3, LayerCount: %4.Diagnostic

Event ID 1001 — Packet Fragment (%3 bytes), MiniportIfIndex %1, LowerIfIndex %2.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Packet Fragment (%3 bytes), MiniportIfIndex %1, LowerIfIndex %2

Fields

NameDescription
MiniportIfIndex
LowerIfIndex
FragmentSize
Fragment
GftFlowEntryId
GftOffloadInformation

Event ID 1002 — Packet Metadata (%3 bytes).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Packet Metadata (%3 bytes)

Fields

NameDescription
MiniportIfIndex
LowerIfIndex
MetadataSize
Metadata

Event ID 1003 — VMSwitch Packet Fragment (%9 bytes), MiniportIfIndex %1, LowerIfIndex %2.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

VMSwitch Packet Fragment (%9 bytes), MiniportIfIndex %1, LowerIfIndex %2

Fields

NameDescription
MiniportIfIndex
LowerIfIndex
SourcePortId
SourcePortName
SourceNicName
SourceNicType
DestinationCount
FragmentSize
Fragment
OOBDataSize
OOBData
Destination

Event ID 1011 — Capture Rules Count=.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Capture Rules Count=%1

Fields

NameDescription
RulesCount

Event ID 1012 — Driver Loaded (FriendlyName=%1 UniqueName=%2 ServiceName=%3).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Driver Loaded (FriendlyName=%1 UniqueName=%2 ServiceName=%3)

Fields

NameDescription
FriendlyName
UniqueName
ServiceName
Version

Event ID 1013 — Driver Unloaded (FriendlyName=%1 UniqueName=%2 ServiceName=%3).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Driver Unloaded (FriendlyName=%1 UniqueName=%2 ServiceName=%3)

Fields

NameDescription
FriendlyName
UniqueName
ServiceName
Version

Event ID 1014 — Attached to miniport interface %1 above layer interface %2 with media type %3 (context=%4).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Attached to miniport interface %1 above layer interface %2 with media type %3 (context=%4)

Fields

NameDescription
MiniportIfIndex
LowerIfIndex
MediaType
ReferenceContext

Event ID 1015 — Detached from miniport interface %1 above layer interface %2 with media type %3 (context=%4).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Detached from miniport interface %1 above layer interface %2 with media type %3 (context=%4)

Fields

NameDescription
MiniportIfIndex
LowerIfIndex
MediaType
ReferenceContext

Event ID 1016 — Capture Rule: Id=.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Capture Rule: Id=%1 Directive=%2 ValueLength=%3 Value=%4

Fields

NameDescription
RuleId
Directive
Length
Value

Event ID 2001 — Driver load failed with status=.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Driver load failed with status=%1 at location %2

Fields

NameDescription
ErrorCode
Location
Context

Event ID 2002 — FilterAttach failed with status=.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

FilterAttach failed with status=%1 at location %2 (context=%3)

Fields

NameDescription
ErrorCode
Location
Context

Event ID 2003 — Received Invalid Capture Rule: Id=.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Received Invalid Capture Rule: Id=%1 Directive=%2 ValueLength=%3 Value=%4

Fields

NameDescription
RuleId
Directive
Length
Value

Event ID 3001 — Entering state '.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Entering state '%2' from state '%1' (location=%3, context=%4)

Fields

NameDescription
PreviousState
NextState
Location
Context

Event ID 3002 — Entering state '.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Entering state '%2' from state '%1' (location=%3, context=%4)

Fields

NameDescription
PreviousState
NextState
Location
Context

Event ID 5000 — Rx Packet Processing Start

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Rx Packet Processing Start

Event ID 5001 — Rx Packet Processing Complete

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Rx Packet Processing Complete

Event ID 5002 — Tx Packet Processing Start

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Tx Packet Processing Start

Event ID 5003 — Tx Packet Processing Complete

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Tx Packet Processing Complete

Event ID 5100 — Rundown: %1: %2 - %3, %4, %5.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Rundown: %1: %2 - %3, %4, %5. %6.

Fields

NameDescription
Rundown
SourceId
RundownId
Param1
Param2
ParamStr
Description

Event ID 5101 — Event source: %1: %2, IfIndex: %3, LayerCount: %4.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic

Message

Event source: %1: %2, IfIndex: %3, LayerCount: %4.

Fields

NameDescription
Event_source
LayerCount2, IfIndex.
SourceId
SourceName
IfIndex
LayerInfo