I want to capture packets via ETW using the Microsoft-windows-TCPIP provider.
When I use "netsh trace start capture=yes Provider=Microsoft-Windows-TCPIP" to capture packets, I can found the TCP traffic payload in the etl file.
But if i don't specify the "capture=yes" keyword, i can't found the TCP packet payload in the etl file.
Then i tried using the Win32 APIs to start a trace to capture the TCP traffic. I called StartTrace and EnableTraceEx2, and i got the same result as "netsh start trace" that not specified the "capture=yes" keyword, and no TCP packet payload in the etl file.
I want to know what the netsh did when "capture=yes" specified, and what should i do to do the same thing as netsh when "capture=yes" specified by calling Win32 APIs.
Thank you.