diff --git a/README.md b/README.md
index ef4e331..63e2367 100644
--- a/README.md
+++ b/README.md
@@ -13,15 +13,24 @@ We've added Tracelogging support to cover almost all log techniques on the Windo
 With Winshark and the power of Windows, we can now capture Network and Event Logs in the same tool. Windows exposes a lot of ETW providers, in particular one for network capture ;-)
 No more need for an external NDIS driver.
 
+<<<<<<< HEAD
 This is a huge improvement in terms of use:
 * Enable to mix all kind of events (system and network)
 * Enable to use Wireshark filtering on event log
 * Enable to track network and system logs by Process ID!!!
 * Enable to capture Windows log and network trace into an unique pcap file!!!
+=======
+This is a huge improvement in term of use :
+* Enable to mix all kind of event (system and network)
+* Enable to use wireshark filtering on event log
+* Enable to track network and system log by Process ID !!!
+* Enable to capture Windows log and network trace into an unique pcap file !!!
+* Capture NamedPipe through [NpEtw](https://github.com/kobykahane/NpEtw) file system filter driver
 
 If you want to:
 * [Capture Network Traffic Using Winshark](#Capture-Network-traffic)
 * [Filter on Process ID](#Filtering-on-process-id)
+* [Capture NamedPipe Traffic] (#Capturing-NamedPipe)
 
 ## Install
 
@@ -163,6 +172,37 @@ etw.header.ProcessId == 1234
 
 ![ETW packet capture](doc/images/winshark-process-id.PNG)
 
+
+## Capturing NamedPipe
+
+@kobykahane provide a [file system filter driver](https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/about-file-system-filter-drivers) that emit an ETW for every action perform on a NamedPipe.
+
+### Install
+
+* Pass driver signing check in test mode
+```
+bcdedit /set testsigning on
+```
+* Install [NpEtwSetup.msi](https://github.com/airbus-cert/Winshark/releases)
+* Reboot
+* Update `Winshark` dissector by double clicking `C:\Program Files\Wireshark\WinsharkUpdate.exe` with `Admin` rights
+
+### Capture
+
+* Open a `cmd.exe` in `Admin mode`
+* Start the driver
+```
+sc start NpEtw
+```
+* Create an ETW Session
+```
+logman start namedpipe -p NpEtw -ets -rt
+```
+* Start `Wireshark` and select the `namedpipe` session. Enjoy!
+
+![ETW namedpipe capture](doc/video/namedpipe.gif)
+
+
 ## SSTIC (Symposium sur la sécurité des technologies de l'information et des communications)
 
 This project is part of a presentation made for [SSTIC](https://www.sstic.org/2020/presentation/quand_les_bleus_se_prennent_pour_des_chercheurs_de_vulnrabilites/)
diff --git a/dissector/Tracelogging.lua b/dissector/Tracelogging.lua
index 939e72d..15347ac 100644
--- a/dissector/Tracelogging.lua
+++ b/dissector/Tracelogging.lua
@@ -80,9 +80,16 @@ function tracelogging.dissector(buffer, pinfo, tree)
 		if ext_type == 11 then 
 			local size = data(0, 2):le_uint()		
 			local tag = data(2, 1):le_uint()
+			local extended_tag = nil
+			local offset_name = 3
+			-- tag have an extended int format
+			if bit32.band(tag, 0x80) == 0x80 then
+				extended_tag = data(3, 1):le_uint()
+				offset_name = 4
+			end
 			-- name of the protocol
-			name = data(3):stringz():gsub(" ", "_")
-			local scheme_data = data(3 + name:len() + 1):tvb()
+			name = data(offset_name):stringz():gsub(" ", "_")
+			local scheme_data = data(offset_name + name:len() + 1):tvb()
 			local offset_scheme = 0
 			local index_tag = 1
 			
diff --git a/doc/video/namedpipe.gif b/doc/video/namedpipe.gif
new file mode 100644
index 0000000..4831099
Binary files /dev/null and b/doc/video/namedpipe.gif differ
diff --git a/transluator/CMakeLists.txt b/transluator/CMakeLists.txt
index 99397eb..49bdd6a 100644
--- a/transluator/CMakeLists.txt
+++ b/transluator/CMakeLists.txt
@@ -20,4 +20,5 @@ install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tra
 install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Microsoft.Diagnostics.FastSerialization.dll" DESTINATION .)
 install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Dia2Lib.dll" DESTINATION .)
 install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/OSExtensions.dll" DESTINATION .)
-install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/TraceReloggerLib.dll" DESTINATION .)
\ No newline at end of file
+install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/TraceReloggerLib.dll" DESTINATION .)
+install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/scripts/WinsharkUpdate.bat" DESTINATION .)
\ No newline at end of file
diff --git a/transluator/scripts/WinsharkUpdate.bat b/transluator/scripts/WinsharkUpdate.bat
new file mode 100644
index 0000000..ae7f1d7
--- /dev/null
+++ b/transluator/scripts/WinsharkUpdate.bat
@@ -0,0 +1,2 @@
+SET DIR=%~dp0
+"%DIR%\Transluator.exe" "%DIR%\plugins\winshark"
\ No newline at end of file