I would like to implement an ETW consumer in C for events coming from the Microsoft-Windows-TCPIP provider. However, I fail to find the type of event this provider generates.
I already did some similar work to consume events from Microsoft-Windows-Kernel-* (see NT Kernel Logger) , but the events sent from this provider were decently documented on MSDN (see documentation about Enable Flags).
So I guess the real question is: how can I link an ETW provider to the type of events (we are talking about C structures here) that it generates and possibly vice-versa (if feasible at all)?
Thanks!
Edit 0: I don't mind using other technologies to find the details about a class. For example, getting the details of the Registry class (for the NT Kernel Logger), one would use powershell and run the following command (note that you need the right namespace otherwise you won't get the right type):
$list = gwmi -namespace root\wmi -Class Registry* -list
foreach($element in $list) {
([wmiclass]$element).gettext("mof")
}
