question

tjwillians74 avatar image
0 Votes"
tjwillians74 asked GaryNebbett answered

Command netsh Missing Scenario "netconnection"

I have a question about netsh scenarios. I'm trying to run the following command:

 netsh trace start scenario=netconnection capture=yes report=yes overwrite=yes persistent=yes traceFile=C:\filename.etl maxsize=1024 fileMode=circular 

But it tells me 'netconnection' is not a valid scenario.

These are whats available for scenarios:

 netsh trace>show scenarios
    
 Available scenarios (8):
 -------------------------------------------------------------------
 AddressAcquisitionServer : Troubleshoot address acquisition server related issues
 DirectAccess             : Troubleshoot DirectAccess related issues
 FileSharing              : Troubleshoot common file and printer sharing problems
 InternetClient           : Diagnose web connectivity issues
 InternetServer           : Set of HTTP service counters
 NDIS                     : Troubleshoot network adapter related issues
 Virtualization           : Troubleshoot network connectivity issues in virtualization environment
 WFP-IPsec                : Troubleshoot Windows Filtering Platform and IPsec related issues")

I know I've used scenario=netconnection before although I'm not sure what OS. I'm running this command now on a server 2019 core. I'm not sure if there is a work around or I should just use NDIS or Virtualization scenario instead. If I use no scenario I assume it captures everything?



windows-serverwindows-server-hyper-vwindows-server-clusteringwindows-platform-networkwindows-server-core
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GaryNebbett avatar image
0 Votes"
GaryNebbett answered

Hello @tjwillians74,

If you omit the scenario then your "netsh trace" command will just capture the network traffic; the events generated by other Event Tracing for Windows (ETW) providers will not be included in the trace file.

The list of scenarios is obtained by querying the registry; the list of scenarios on a Windows 11 client includes the NetConnection scenario.

A scenario is just a list of additional ETW providers (with associated keywords and levels) - you can trace the same data by just listing the ETW providers in the "netsh trace" command.

Which additional providers, present in the NetConnection scenario, are of particular use to you? How do you analyse the resulting trace file?

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.