Add filtering by primitive types

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

Other

605 stars 149 forks source link

Add filtering by primitive types #45

Closed mjeong92 closed 6 years ago

mjeong92 commented 6 years ago

Add filtering by Boolean, Int16, Int32, and Int64.

mjeong92 commented 6 years ago

The unit tests fail but I don't know why, when I test these filters on an active ETW trace the filtering works correctly, so I know it's not the issue with the Filters themselves, but something with the test classes.

zacbrown commented 6 years ago

@mjeong92 - hmm, looks like it's failing to lookup the schema for that provider. You could try a different provider with int16/int32/int64 properties.

mjeong92 commented 6 years ago

So it has to be a real provider and I can't make up the fields to test them? Hmm.. I don't know where I can look up providers that might have those properties.

Why does the LogonType fail then? That one definitely exists on that provider and it is a Int32 property.

swannman commented 6 years ago

@mjeong92 it looks like LogonType may be a UINT32. Could that be what is tripping us up here?

mjeong92 commented 6 years ago

I removed all the new filters excpet UInt32 because that's the only one I need and that's the only type I could immediately find for test cases.

mjeong92 commented 6 years ago

Thanks Zac 👍