Windows ETL 跟踪文件格式?
我编写了一个 ETW 提供程序,我的系统使用它来使用 TraceEvent API 函数记录不透明的二进制数据 blob。我的系统本质上是一个高吞吐量事件处理系统,我希望能够(廉价地)捕获某些对象通过系统时的序列化状态。这将为我提供可重放性功能,以便在将来的任何时间我都可以重放事件跟踪并重现导致应用程序中特定状态的事件的确切序列。
它仍处于早期阶段,因此目前我对跟踪的唯一控制是使用 logman 或tracelog 等工具之一,它们可以创建跟踪控制器以将事件记录到扩展名为 .etl 的跟踪文件中。我知道我可以编写一个独立的控制器,它可以实时消耗事件并将事件写入自己的文件,但我想在这个阶段尽量避免这种情况(称之为懒惰:)),但说真的,为什么要重写已经存在的东西可用的?
那么,有人对 .etl 文件的二进制格式有任何了解吗?我知道像 tracedmp 这样的东西可以读取它们并生成 CSV,但这对二进制部分没有帮助。如果我可以读取这些文件并解析出我编写的 blob,那么我基本上就可以获得我所追求的可重玩性,但我在这种文件格式上找不到任何内容。
谢谢, 保罗
I have a written an ETW provider which is used by my system to log opaque blobs of binary data using the TraceEvent API function. My system is essentially a high throughput event processing system and I want to be able to (cheaply) capture the serialised state of certain objects as they pass through the system. This will give me a replayablility feature so that at any time in the future I can replay an event trace and reproduce the exact sequence of events which brought about a particular state in the application.
It is still in the early stages so at the moment my only control over the tracing is by using one of the tools such as logman or tracelog, which can create trace controllers to log the events to a trace file with an .etl extension. I know I could write a standalone controller which could consume the events in real time and write the events to file myself but I want to try to avoid that at this stage (call it laziness :)), but seriously why rewrite something that is already available?
So, does anyone have any insight into the binary format of .etl files? I know something like tracedmp can read them and produce CSVs but that doesn't help with the binary portion. If I could read these files and parse out the blobs I have written then I would essentially have the replayability I am after, but I can't find anything on this file format.
Thanks,
Paul
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧,用 15 分钟来回答我自己的问题。一定是某种记录,但我发誓我花了半天时间寻找这个...:)
OpenTrace / ProcessTrace / CloseTrace 函数允许您使用来自实时跟踪会话或来自 ETL 日志文件,似乎正是我正在寻找的内容。
Well, 15 minutes to answer my own question. Must be some kind of record but I swear I spent half a day looking for this... :)
The
OpenTrace / ProcessTrace / CloseTrace
functions allow you to consume events from either a real-time trace session or from an ETL log file and seem to be exactly what I was looking for.