detection.wiki

Microsoft-Windows-NDIS-PacketCapture

20 events across 1 channel

Event IDTitleChannel
1001Packet Fragment (FragmentSize bytes), MiniportIfIndex MiniportIfIndex, …Diagnostic
1002Packet Metadata (MetadataSize bytes).Diagnostic
1003VMSwitch Packet Fragment (Fragment bytes), MiniportIfIndex MiniportIfIndex, …Diagnostic
1011Capture Rules Count=RulesCount.Diagnostic
1012Driver Loaded (FriendlyName=FriendlyName UniqueName=UniqueName …Diagnostic
1013Driver Unloaded (FriendlyName=FriendlyName UniqueName=UniqueName …Diagnostic
1014Attached to miniport interface MiniportIfIndex above layer interface …Diagnostic
1015Detached from miniport interface MiniportIfIndex above layer interface …Diagnostic
1016Capture Rule: Id=RuleId Directive=Directive ValueLength=Length Value=Value.Diagnostic
2001Driver load failed with status=ErrorCode at location Location.Diagnostic
2002FilterAttach failed with status=ErrorCode at location Location …Diagnostic
2003Received Invalid Capture Rule: Id=RuleId Directive=Directive ValueLength=Length …Diagnostic
3001Entering state 'NextState' from state 'PreviousState' (location=Location, …Diagnostic
3002Entering state 'NextState' from state 'PreviousState' (location=Location, …Diagnostic
5000Rx Packet Processing StartDiagnostic
5001Rx Packet Processing CompleteDiagnostic
5002Tx Packet Processing StartDiagnostic
5003Tx Packet Processing CompleteDiagnostic
5100Rundown: Rundown: SourceId - RundownId, Param1, Param2.Diagnostic
5101Event source: Event_source: LayerCount, IfIndex: SourceId, LayerCount: …Diagnostic

Event ID 1001 — Packet Fragment (FragmentSize bytes), MiniportIfIndex MiniportIfIndex, LowerIfIndex LowerIfIndex.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Info

Description

Packet Fragment (FragmentSize bytes), MiniportIfIndex MiniportIfIndex, LowerIfIndex LowerIfIndex.

Message #

Packet Fragment (%3 bytes), MiniportIfIndex %1, LowerIfIndex %2

Fields #

NameDescription
MiniportIfIndex UInt32
LowerIfIndex UInt32
FragmentSize UInt32
Fragment Binary
GftFlowEntryId UInt64
GftOffloadInformation UInt64

Event ID 1002 — Packet Metadata (MetadataSize bytes).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Info

Description

Packet Metadata (MetadataSize bytes).

Message #

Packet Metadata (%3 bytes)

Fields #

NameDescription
MiniportIfIndex UInt32
LowerIfIndex UInt32
MetadataSize UInt32
Metadata Binary

Event ID 1003 — VMSwitch Packet Fragment (Fragment bytes), MiniportIfIndex MiniportIfIndex, LowerIfIndex LowerIfIndex.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Info

Description

VMSwitch Packet Fragment (Fragment bytes), MiniportIfIndex MiniportIfIndex, LowerIfIndex LowerIfIndex.

Message #

VMSwitch Packet Fragment (%9 bytes), MiniportIfIndex %1, LowerIfIndex %2

Fields #

NameDescription
MiniportIfIndex UInt32
LowerIfIndex UInt32
SourcePortId UInt32
SourcePortName UnicodeString
SourceNicName UnicodeString
SourceNicType UnicodeString
DestinationCount UInt32
FragmentSize UInt32
Fragment Binary
OOBDataSize UInt32
OOBData Binary
Destination Double

Event ID 1011 — Capture Rules Count=RulesCount.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Task
Rules

Description

Capture Rules Count=RulesCount.

Message #

Capture Rules Count=%1

Fields #

NameDescription
RulesCount UInt32

Event ID 1012 — Driver Loaded (FriendlyName=FriendlyName UniqueName=UniqueName ServiceName=ServiceName).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Info

Description

Driver Loaded (FriendlyName=FriendlyName UniqueName=UniqueName ServiceName=ServiceName).

Message #

Driver Loaded (FriendlyName=%1 UniqueName=%2 ServiceName=%3)

Fields #

NameDescription
FriendlyName UnicodeString
UniqueName UnicodeString
ServiceName UnicodeString
Version UnicodeString

Event ID 1013 — Driver Unloaded (FriendlyName=FriendlyName UniqueName=UniqueName ServiceName=ServiceName).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Info

Description

Driver Unloaded (FriendlyName=FriendlyName UniqueName=UniqueName ServiceName=ServiceName).

Message #

Driver Unloaded (FriendlyName=%1 UniqueName=%2 ServiceName=%3)

Fields #

NameDescription
FriendlyName UnicodeString
UniqueName UnicodeString
ServiceName UnicodeString
Version UnicodeString

Event ID 1014 — Attached to miniport interface MiniportIfIndex above layer interface LowerIfIndex with media type MediaType (context=ReferenceContext).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Info

Description

Attached to miniport interface MiniportIfIndex above layer interface LowerIfIndex with media type MediaType (context=ReferenceContext).

Message #

Attached to miniport interface %1 above layer interface %2 with media type %3 (context=%4)

Fields #

NameDescription
MiniportIfIndex UInt32
LowerIfIndex UInt32
MediaType UInt32
ReferenceContext UInt32

Event ID 1015 — Detached from miniport interface MiniportIfIndex above layer interface LowerIfIndex with media type MediaType (context=ReferenceContext).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Info

Description

Detached from miniport interface MiniportIfIndex above layer interface LowerIfIndex with media type MediaType (context=ReferenceContext).

Message #

Detached from miniport interface %1 above layer interface %2 with media type %3 (context=%4)

Fields #

NameDescription
MiniportIfIndex UInt32
LowerIfIndex UInt32
MediaType UInt32
ReferenceContext UInt32

Event ID 1016 — Capture Rule: Id=RuleId Directive=Directive ValueLength=Length Value=Value.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Task
Rules

Description

Capture Rule: Id=RuleId Directive=Directive ValueLength=Length Value=Value.

Message #

Capture Rule: Id=%1 Directive=%2 ValueLength=%3 Value=%4

Fields #

NameDescription
RuleId UInt8
Directive UInt8
Length UInt16
Value Binary

Event ID 2001 — Driver load failed with status=ErrorCode at location Location.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Task
DriverLoad
Opcode
LoadingState

Description

Driver load failed with status=ErrorCode at location Location.

Message #

Driver load failed with status=%1 at location %2

Fields #

NameDescription
ErrorCode UInt32
Location UInt32
Context UInt32

Event ID 2002 — FilterAttach failed with status=ErrorCode at location Location (context=Context).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Task
LayerLoad
Opcode
LoadingState

Description

FilterAttach failed with status=ErrorCode at location Location (context=Context).

Message #

FilterAttach failed with status=%1 at location %2 (context=%3)

Fields #

NameDescription
ErrorCode UInt32
Location UInt32
Context UInt32

Event ID 2003 — Received Invalid Capture Rule: Id=RuleId Directive=Directive ValueLength=Length Value=Value.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Task
Rules
Opcode
LoadingState

Description

Received Invalid Capture Rule: Id=RuleId Directive=Directive ValueLength=Length Value=Value.

Message #

Received Invalid Capture Rule: Id=%1 Directive=%2 ValueLength=%3 Value=%4

Fields #

NameDescription
RuleId UInt8
Directive UInt8
Length UInt16
Value Binary

Event ID 3001 — Entering state 'NextState' from state 'PreviousState' (location=Location, context=Context).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Task
LayerLoad
Opcode
LoadingState

Description

Entering state 'NextState' from state 'PreviousState' (location=Location, context=Context).

Message #

Entering state '%2' from state '%1' (location=%3, context=%4)

Fields #

NameDescription
PreviousState UInt8
NextState UInt8
Location UInt32
Context UInt32

Event ID 3002 — Entering state 'NextState' from state 'PreviousState' (location=Location, context=Context).

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Task
LayerLoad
Opcode
LoadingState

Description

Entering state 'NextState' from state 'PreviousState' (location=Location, context=Context).

Message #

Entering state '%2' from state '%1' (location=%3, context=%4)

Fields #

NameDescription
PreviousState UInt8
NextState UInt8
Location UInt32
Context UInt32

Event ID 5000 — Rx Packet Processing Start

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Start

Description

Rx Packet Processing Start.

Message #

Rx Packet Processing Start

Event ID 5001 — Rx Packet Processing Complete

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Stop

Description

Rx Packet Processing Complete.

Message #

Rx Packet Processing Complete

Event ID 5002 — Tx Packet Processing Start

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Start

Description

Tx Packet Processing Start.

Message #

Tx Packet Processing Start

Event ID 5003 — Tx Packet Processing Complete

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Stop

Description

Tx Packet Processing Complete.

Message #

Tx Packet Processing Complete

Event ID 5100 — Rundown: Rundown: SourceId - RundownId, Param1, Param2.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Info

Description

Rundown: Rundown: SourceId - RundownId, Param1, Param2. ParamStr.

Message #

Rundown: %1: %2 - %3, %4, %5. %6.

Fields #

NameDescription
Rundown
SourceId UInt8
RundownId UInt32
Param1 UInt64
Param2 UInt64
ParamStr UnicodeString
Description UnicodeString

Event ID 5101 — Event source: Event_source: LayerCount, IfIndex: SourceId, LayerCount: SourceName.

Provider
Microsoft-Windows-NDIS-PacketCapture
Channel
Diagnostic
Opcode
Info

Description

Event source: Event_source: LayerCount, IfIndex: SourceId, LayerCount: SourceName.

Message #

Event source: %1: %2, IfIndex: %3, LayerCount: %4.

Fields #

NameDescription
Event_source
LayerCount UInt162, IfIndex.
SourceId UInt8
SourceName UnicodeString
IfIndex UInt32
LayerInfo Int16