A clean architecture, DDD-based solution for parsing ETW (Event Tracing for Windows) ETL files and extracting WDF driver events (Wdf01000.sys).

This solution follows Domain-Driven Design (DDD) principles and clean architecture:

• Domain Layer: Core business entities, value objects, domain services, and repository interfaces
• Application Layer: Use cases, DTOs, and application services
• Infrastructure Layer: ETL parsing implementation using Microsoft.Windows.EventTracing, file I/O, and exporters
• Presentation Layer: CLI interface using System.CommandLine

• Parse ETL files using Microsoft.Windows.EventTracing
• Extract WDF driver events (Wdf01000.sys)
• Filter events by provider name
• Export to JSON or CSV format
• Clean architecture with strict layer separation
• Dependency injection
• Structured logging

• .NET 8.0 SDK
• Windows OS (ETW is Windows-specific)
• ETL files captured using xperf or WPR

dotnet build

dotnet run --project src/EtwEventParser.Presentation -- --input trace.etl --output output.json --format Json

dotnet run --project src/EtwEventParser.Presentation -- --input trace.etl --output wdf_events.json --wdf-only

dotnet run --project src/EtwEventParser.Presentation -- --input trace.etl --output events.csv --format Csv --provider Wdf01000

• --input, -i: Path to the input ETL file (required)
• --output, -o: Path to the output file (required)
• --format, -f: Output format (Json or Csv, default: Json)
• --provider, -p: Filter events by provider name
• --wdf-only, -w: Extract only WDF driver events (Wdf01000.sys)
• --pretty: Pretty print JSON output (default: true)

EtwEventParser/
├── src/
│   ├── EtwEventParser.Domain/          # Domain layer
│   │   ├── Entities/                  # Domain entities
│   │   ├── ValueObjects/              # Value objects
│   │   ├── Repositories/              # Repository interfaces
│   │   ├── Services/                  # Domain service interfaces
│   │   └── DomainEvents/              # Domain events
│   ├── EtwEventParser.Application/      # Application layer
│   │   ├── UseCases/                  # Application use cases
│   │   ├── DTOs/                      # Data transfer objects
│   │   └── Services/                  # Application service interfaces
│   ├── EtwEventParser.Infrastructure/   # Infrastructure layer
│   │   ├── Repositories/              # Repository implementations
│   │   ├── Services/                  # Service implementations
│   │   └── DependencyInjection/       # DI configuration
│   └── EtwEventParser.Presentation/     # Presentation layer
│       └── Program.cs                 # CLI entry point
└── README.md

This solution adheres to:

• SOLID principles: Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, Dependency Inversion
• Clean Architecture: Strict layer separation, dependency rule (dependencies point inward)
• DDD: Domain model, entities, value objects, aggregates, domain services
• Ports and Adapters (Hexagonal): Infrastructure adapts to domain interfaces
• CQRS-style separation: Read and write operations are separated
• Dependency Injection: All dependencies are injected via constructors
• Configuration: All configuration externalized (appsettings.json, environment variables)

• Microsoft.Windows.EventTracing: Official ETW event tracing library
• System.CommandLine: CLI framework
• Microsoft.Extensions.*: Dependency injection, logging, configuration

This project is provided as-is for educational and development purposes.