How to consume real-time ETW events from the Microsoft-Windows-NDIS-PacketCapture provider?
If you look into what the "netsh trace" commands do internally you'll see they attach an NDIS lightweight filter driver to the various network interfaces. Only with this filter attached and activated will you get events from this provider. The details of this facility are undocumented and subject to change. All the logic of the netsh trace commands is implemented in nettrace.dll which you can reverse engineer with the assistance of Microsoft's public symbols. Specifically, the CInboxCapture class has code which determines whether the driver has been started, binds it to appropriate network interfaces and starts it. If you start the capturing filter driver the way nettrace.dll does, you'll get your packet capture events.
Good luck.
For what it's worth, I did find one example of a real-time ETW consumer (the example is for IIS web server): http://blogs.iis.net/eokim/archive/2009/05/15/consume-iis-etw-tracing.aspx
Here's a commented c++ example application that demonstrates simultaneous real-time ETW sessions for packet capture and kernel events.