Microsoft-Windows-NDIS-PacketCapture
20 events across 1 channel
Event ID 1001: Packet Fragment (FragmentSize bytes), MiniportIfIndex MiniportIfIndex, LowerIfIndex LowerIfIndex.
#Description
Packet Fragment (FragmentSize bytes), MiniportIfIndex MiniportIfIndex, LowerIfIndex LowerIfIndex.
Message #
Fields #
| Name | Description |
|---|---|
MiniportIfIndex UInt32 | |
LowerIfIndex UInt32 | |
FragmentSize UInt32 | |
Fragment Binary | |
GftFlowEntryId UInt64 | |
GftOffloadInformation UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS-PacketCapture",
"guid": "{2ED6006E-4729-4609-B423-3EE7BCD678EF}",
"event_source_name": "",
"event_id": 1001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000060000000000",
"time_created": "2026-06-02T05:29:07.800+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4504,
"thread_id": 10580
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Fragment": "BC2411225B57BC241141F25808004500004FBF3E0000801100000A020A0B0A020AFEE5600035003B295908300100000100000000000106636C69656E7403776E730777696E646F777303636F6D00000100010000290FA0000080000000",
"FragmentSize": 93,
"GftFlowEntryId": 0,
"GftOffloadInformation": 0,
"LowerIfIndex": 4,
"MiniportIfIndex": 4
},
"message": ""
}
Event ID 1002: Packet Metadata (MetadataSize bytes).
#Event ID 1003: VMSwitch Packet Fragment (Fragment bytes), MiniportIfIndex MiniportIfIndex, LowerIfIndex LowerIfIndex.
#Description
VMSwitch Packet Fragment (Fragment bytes), MiniportIfIndex MiniportIfIndex, LowerIfIndex LowerIfIndex.
Message #
Fields #
| Name | Description |
|---|---|
MiniportIfIndex UInt32 | |
LowerIfIndex UInt32 | |
SourcePortId UInt32 | |
SourcePortName UnicodeString | |
SourceNicName UnicodeString | |
SourceNicType UnicodeString | |
DestinationCount UInt32 | |
Destination Double | |
FragmentSize UInt32 | |
Fragment Binary | |
OOBDataSize UInt32 | |
OOBData Binary |
Event ID 1011: Capture Rules Count=RulesCount.
#Event ID 1012: Driver Loaded (FriendlyName=FriendlyName UniqueName=UniqueName ServiceName=ServiceName).
#Event ID 1013: Driver Unloaded (FriendlyName=FriendlyName UniqueName=UniqueName ServiceName=ServiceName).
#Event ID 1014: Attached to miniport interface MiniportIfIndex above layer interface LowerIfIndex with media type MediaType (context=ReferenceContext).
#Description
Attached to miniport interface MiniportIfIndex above layer interface LowerIfIndex with media type MediaType (context=ReferenceContext).
Message #
Fields #
| Name | Description |
|---|---|
MiniportIfIndex UInt32 | |
LowerIfIndex UInt32 | |
MediaType UInt32 | |
ReferenceContext UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS-PacketCapture",
"guid": "{2ED6006E-4729-4609-B423-3EE7BCD678EF}",
"event_source_name": "",
"event_id": 1014,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": "0x0000008000000000",
"time_created": "2026-06-02T05:29:07.633+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 13372,
"thread_id": 18092
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"LowerIfIndex": 16,
"MediaType": 0,
"MiniportIfIndex": 16,
"ReferenceContext": 16
},
"message": ""
}
Event ID 1015: Detached from miniport interface MiniportIfIndex above layer interface LowerIfIndex with media type MediaType (context=ReferenceContext).
#Event ID 1016: Capture Rule: Id=RuleId Directive=Directive ValueLength=Length Value=Value.
#Event ID 2001: Driver load failed with status=ErrorCode at location Location.
#Event ID 2002: FilterAttach failed with status=ErrorCode at location Location (context=Context).
#Event ID 2003: Received Invalid Capture Rule: Id=RuleId Directive=Directive ValueLength=Length Value=Value.
#Event ID 3001: Entering state 'NextState' from state 'PreviousState' (location=Location, context=Context).
#Description
Entering state 'NextState' from state 'PreviousState' (location=Location, context=Context).
Message #
Fields #
| Name | Description |
|---|---|
PreviousState UInt8 | |
NextState UInt8 | |
Location UInt32 | |
Context UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS-PacketCapture",
"guid": "{2ED6006E-4729-4609-B423-3EE7BCD678EF}",
"event_source_name": "",
"event_id": 3001,
"version": 0,
"level": 5,
"task": 3,
"opcode": 21,
"keywords": "0x0000208000000000",
"time_created": "2026-06-02T05:29:07.633+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 13372,
"thread_id": 18092
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Context": 16,
"Location": 1644,
"NextState": 21,
"PreviousState": 1
},
"message": "LayerLoad"
}
Event ID 3002: Entering state 'NextState' from state 'PreviousState' (location=Location, context=Context).
#Description
Entering state 'NextState' from state 'PreviousState' (location=Location, context=Context).
Message #
Fields #
| Name | Description |
|---|---|
PreviousState UInt8 | |
NextState UInt8 | |
Location UInt32 | |
Context UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS-PacketCapture",
"guid": "{2ED6006E-4729-4609-B423-3EE7BCD678EF}",
"event_source_name": "",
"event_id": 3002,
"version": 0,
"level": 5,
"task": 3,
"opcode": 21,
"keywords": "0x0000208000000000",
"time_created": "2026-06-02T05:29:07.633+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 13372,
"thread_id": 18092
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Context": 16,
"Location": 1929,
"NextState": 2,
"PreviousState": 21
},
"message": "LayerLoad"
}
Event ID 5100: Rundown: Rundown: SourceId - RundownId, Param1, Param2.
#Description
Rundown: Rundown: SourceId - RundownId, Param1, Param2. ParamStr.
Message #
Fields #
| Name | Description |
|---|---|
SourceId UInt8 | |
RundownId UInt32 | |
Param1 UInt64 | |
Param2 UInt64 | |
ParamStr UnicodeString | |
Description UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS-PacketCapture",
"guid": "{2ED6006E-4729-4609-B423-3EE7BCD678EF}",
"event_source_name": "",
"event_id": 5100,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:58:43.548+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 12516,
"thread_id": 716
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Description": "",
"Param1": 18,
"Param2": 0,
"ParamStr": "C08CB7B8-9B3C-408E-8E30-5E16A3AEB444",
"RundownId": 1,
"SourceId": 2
},
"message": ""
}
Event ID 5101: Event source: Event_source: LayerCount, IfIndex: SourceId, LayerCount: SourceName.
#Description
Event source: Event_source: LayerCount, IfIndex: SourceId, LayerCount: SourceName.
Message #
Fields #
| Name | Description |
|---|---|
SourceId UInt8 | |
SourceName UnicodeString | |
IfIndex UInt32 | |
LayerCount UInt16 | 2, IfIndex. |
LayerInfo Int16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS-PacketCapture",
"guid": "{2ED6006E-4729-4609-B423-3EE7BCD678EF}",
"event_source_name": "",
"event_id": 5101,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:58:43.548+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 12516,
"thread_id": 716
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"IfIndex": 18,
"LayerCount": 2,
"LayerInfo": "01000000500044005F004500580054005F00500054000000000000000000",
"SourceId": 2,
"SourceName": "Default Switch"
},
"message": ""
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {2ED6006E-4729-4609-B423-3EE7BCD678EF}
Defined in ndiscap.sys, the binary that emits these events.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02