Using Netsh to Manage Traces
In Windows 7, netsh.exe can be used from a command prompt to enable and configure network traces. This section describes some of the netsh.exe commands which can help in troubleshooting tracing issues, including the new netsh trace functionality. Note that the netsh commands must be run from an elevated command prompt.
Scenarios are predefined sets of trace providers which can be enabled for troubleshooting. To display the list of available network-related scenarios, type netsh trace show scenarios (netsh trace show providers lists every one of the available providers, including ones that are not relevant to networking).
When you have identified a scenario that looks relevant to your issues, you can see a list of all of the providers included in that scenario. For example, to see all of the providers enabled under the InternetClient scenario, type netsh trace show scenario internetclient.
You can start a trace for all of the providers in a given scenario or set of scenarios. For example, to start a trace for all of the providers enabled under the InternetClient scenario, type netsh trace start scenario=internetclient. To capture providers for more than one scenario, you can specify all of the appropriate scenarios, such as netsh trace start scenario=FileSharing scenario=DirectAccess. Note that only one tracing session may be enabled at a time; it is not possible to simultaneously capture trace information from different sets of providers in separate files.
You can also start a trace for additional providers not included in that particular scenario. For example, you might want to start traces for all of the providers enabled under the WLAN scenario and also the DHCP provider. To do this, type netsh trace start scenario=wlan provider=Microsoft-Windows-Dhcp-Client.
You can also see more details about a specific provider by typing netsh trace show provider followed by the provider name.
To see all of the options and filters available you can type netsh trace start /?.
To stop tracing, type netsh trace stop.
Using the output files
When tracing is stopped, two files are generated by default: an Event Trace Log (ETL) file and a .cab file.
Trace events are collected in the ETL file, which can be viewed using tools such as Network Monitor. The ETL file will be named nettrace.etl by default, or you can specify a different name by including tracefile=filename.etl when starting the trace.
The .cab file contains rich information about the software and hardware on the system such as the adapter information, build, operating system, and wireless settings. The .cab file will be named nettrace.cab by default, unless another name was specified as indicated above.
This .cab file will contain two files, which will always have the same name. Report.etl is another copy of the same information included in nettrace.etl. The report.html file includes additional information about the trace events and the other information collected. To receive the most details available, include the command report = yes when starting a trace.
Using filters to reduce the amount of data in the ETL trace file
When captures happen over a long period of time, the ETL trace file can become very large. In scenarios where multiple providers are enabled, resulting in high traffic, ETW buffer constraints may cause some traces to be dropped. Aside from this consideration, reducing the amount of data in the ETL trace file can help make troubleshooting easier by reducing the amount of data to review.
Netsh trace filters can be used to reduce the ETL trace file size. These trace filters are ETW levels and keywords that can be applied to individual providers.
To see a list of filters which can be applied, type netsh trace start /?
An example of a filter is netsh trace start InternetClient provider=Microsoft-Windows-TCPIP level=5 keywords=ut:ReceivePath,ut:SendPath.
In this example, the level is set to 5, which means that the maximum number of events will be shown. The following table shows the settings available:
|1||Critical||Only critical events will be shown.|
|2||Errors||Critical events and errors will be shown.|
|3||Warnings||Critical events, errors, and warnings will be shown.|
|4||Informational||Critical events, errors, warnings, and informational events will be shown.|
|5||Verbose||All events will be shown.|
The keywords ut:ReceivePath and ut:SentPath filters the events to show only those events traced on the receive or send path. A complete list of keywords for a specific provider can be found by typing netsh trace show provider followed by the provider name. For example, typing netsh trace show provider Microsoft-Windows-TCPIP will display information about the Microsoft-Windows-TCPIP provider, including a list of keywords.
Netsh also supports packet filtering capability (similar to Network Monitor) when packet capturing is turned on (by setting capture = yes). Packet filtering can be used to capture a limited number of packets in a trace file. For example, netsh trace start capture = yes ipv4.address == x.x.x.x , where x.x.x.x is the IP address, will only capture packets with ipv4 traffic with that specific source or destination address.
For additional information about how to use packet filtering, you can type netsh trace show capturefilterHelp.