Netsh Trace–Use It!

One of the great advantages of Windows 7/2008 R2 is the built in network tracing capability. (I think this was included in Vista/Server 2008 but that memory has been erased from my mind)

NetSh itself has now become a vastly powerful command line tool – I highly recommend anyone providing support on Windows systems to examine all the options available here.

In the past if you wanted to do network packet tracing you needed to install a tool on end user’s machine such as WireShark or Microsoft Network Monitor. With Windows 7 that is no longer necessary.

Advantages of using NetSh Tracing:

• Nothing to install
• Ability to do persistent tracing (Across reboots)
• Circular logging capability – so you can leave monitoring running indefinitely until issue re-occurs
• Ability to focus monitoring on specific scenario
• Packet traces are viewable in Microsoft’s Network Monitor with Windows parser enabled. This also allows us to see MS traffic in “Friendly” translation – i.e. SMB / WMI traffic is presented pretty nicely.
• Ability to generate reports along with packet trace which includes just about everything you need to know related to the network, all gets stored in a single .CAB for easy transportation

So first – how do we start tracing?

A basic way to start persistent across reboots, circular logging, with report is

netsh trace start capture=YES report=YES persistent=YES

then when you want to stop tracing

netsh trace stop

You will get a .CAB file (Report) and .ETL file (Capture)

Included in .CAB file is

• Report (Report.html / Report.xml / Report.xsl / Report.etl)

The HTML report looks like this

The Report.etl can be viewed in Microsoft Network Monitor. This contains hardware/process/software information

You will also get a string of .xml files with GUIDs in filename. These are all the network profiles on the machine

For example:

Under the Config folder of the CAB file you get the following files:

adapterinfo.txt – All installed network drivers Description, Hardware ID, GUID, Version and Provider
ConfigData.xml – some useless? data about the CAB file
Dns.txt – Combined output of IPCONFIG /DISPLAYDNS, NETSH NAMESPACE SHOW EFFECTIVE and NETSH NAMESPACE SHOW POLICY
envinfo.txt – Detailed info on Wireless & Wired adapters and network profiles. Info would include what Authentication and cipher modes your wireless adapter supported, if it supports 802.1a/b/g/n, if FIPS 140-2 mode supported, etc.

FileSharing.txt – Combined output of NBTSTAT –N, NBTSTAT –C, NET CONFIG RDR, NET CONFIG SRV, NET SHARE
GPInfo.xml – some useless? data
gpresult.txt – gpresult /v output.
LocaleMetaData – folder with MTA log files for WCM, Windows Firewall, Wireless/Wired Auto Config
Neighbors.txt – Combined output of ARP –A, NETSH INT IPV6 SHOW NEIGHBORS
netevents.xml – Some network events (i.e. FWPM_NET_EVENT_TYPE_CLASSIFY_DROP) in XML format
neteventslog.txt – to advise you above XML was generated successfully
netiostate.txt – Teredo parameters
osinfo.txt – Architecture & build version of OS. Some info like if OS was installed as upgrade or clean, if running on battery, output of SystemInfo. User name/domain/profile location
SSOInfo.xml – more useless? info
sysports.xml – system ports. related to Teredo / IP Helper service (I think)
sysportslog.txt – advising you above was generated sucessfully
upgMigInfo.xml – useless?
WCMLog.evtx – The Microsoft-Windows-Wcmsvc/Operational log (Windows Connection Manager)
WcnInfo.txt – Service status of wcnsvc, wlansvc, eaphost, fdrespub, upnphost, eaphost, WCN DLL file version info, network adapter info, network discovery status for current profile, current firewall profile information,
wfpfilters.xml – WFP filter info
wfplog.log – advising above log got generated successfully
wfpstate.xml – WFP state info
wfpstatelog.txt – adivising above log got generated sucessfully
WindowsFirewallConfig.txt – Windows Firewall Configuration

WindowsFirewallConsecLog.evtx – Windows firewall event log
WindowsFirewallConsecLogVerbose.evtx – Windows firewall event log
WindowsFirewallEffectiveRules.txt – Windows firewall effective rules
WindowsFirewallLog.evtx – Windows firewall event log
WindowsFirewallLogVerbose.evtx – Windows firewall event log
WinsockCatalog.txt – Details of all installed Winsock Catalog Providers
WLANAutoConfigLog.evtx – Wired LAN Auto-Config event log
WWANLog.evtx – Wireless LAN Auto-Config event log

When performing tracing your full options available are:

  Usage: trace start [[scenario=]<scenario1,scenario2>]
    [[globalKeywords=]keywords] [[globalLevel=]level]
    [[capture=]yes|no] [[report=]yes|no]
    [[persistent=]yes|no] [[traceFile=]path\filename]
    [[maxSize=]filemaxsize] [[fileMode=]single|circular|append]
    [[overwrite=]yes|no] [[correlation=]yes|no|disabled] [capturefilters]
    [[provider=]providerIdOrName] [[keywords=]keywordMaskOrSet] 
    [[level=]level] [[provider=]provider2IdOrName]
    [[keywords=]keyword2MaskOrSet] [[level=]level2] …

Defaults:
    capture=no (specifies whether packet capture is enabled in addition to trace events)
    report=no (specifies whether a complementing report will be generated along with the trace file)
    persistent=no (specifies whether the tracing session continue across reboots, and is on until netsh trace stop is issued)
    maxSize=250 MB (specifies the maximum trace file size, 0=no maximum)
    fileMode=circular
    overwrite=yes (specifies whether an existing trace output file will be overwritten)
    correlation=yes (specifies whether related events will be correlated and grouped together)
    traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl
        (specifies location of the output file)

Provider keywords default to all and level to 255 unless otherwise specified.

For example:

netsh trace start scenario=InternetClient capture=yes

    Starts tracing for the InternetClient scenario and dependent providers with packet capture enabled.
    Tracing will stop when the “netsh trace stop” command is issued or when the system reboots. Default location and name will be used for the output file. If an old file exists, it will be overwritten.

netsh trace start provider=microsoft-windows-wlan-autoconfig
    keywords=state,ut:authentication

    Starts tracing for the microsoft-windows-wlan-autoconfig provider. Tracing will stop when the “netsh trace stop” command is issued or when the system reboots.
    Default location and name will be used for the output file. If an old file exists, it will be overwritten.
    Only events with keyword ‘state’ or ‘ut:authentication’ will be logged.

   netsh trace show provider command can be used to display
        supported keywords and levels.

Capture Filters:
    Capture filters are only supported when capture is explicitly enabled with capture=yes. Use ‘netsh trace show CaptureFilterHelp’ to display a list of supported capture filters and their usage.

 

Now about supported specific scenarios. On Windows Developer Preview when running netsh show scenarios I get the following

AddressAcquisition       : Troubleshoot address acquisition-related issues
DirectAccess             : Troubleshoot DirectAccess related issues
FileSharing              : Troubleshoot common file and printer sharing problems
InternetClient           : Diagnose web connectivity issues
InternetServer           : Set of HTTP service counters
L2SEC                    : Troubleshoot layer 2 authentication related issues
LAN                      : Troubleshoot wired LAN related issues
Layer2                   : Troubleshoot layer 2 connectivity related issues
MBN                      : Troubleshoot mobile broadband related issues
NDIS                     : Troubleshoot network adapter related issues
NetConnection            : Troubleshoot issues with network connections
P2P-Grouping             : Troubleshoot Peer-to-Peer Grouping related issues
P2P-PNRP                 : Troubleshoot Peer Name Resolution Protocol (PNRP) related issues
RemoteAssistance         : Troubleshoot Windows Remote Assistance related issues
RPC                      : Troubleshoot issues related to RPC framework
WCN                      : Troubleshoot Windows Connect Now related issues
WFP-IPsec                : Troubleshoot Windows Filtering Platform and IPsec related issues
WLAN                     : Troubleshoot wireless LAN related issues

When running netsh trace show providers I get over 850 different providers. If you want to examine these, run it on your machine.

Running netsh trace show CaptureFilterHelp I get the following info:

  Capture Filters:
    Capture filters are only supported when capture is explicitly
    enabled with capture=yes. Supported capture filters are:

    CaptureInterface=<interface name or GUID>
     Enables packet capture for the specified interface name or GUID. Use
     ‘netsh trace show interfaces’ to list available interfaces.
    e.g. CaptureInterface={716A7812-4AEE-4545-9D00-C10EFD223551}
    e.g. CaptureInterface=!{716A7812-4AEE-4545-9D00-C10EFD223551}
    e.g. CaptureInterface=”Local Area Connection”

    Ethernet.Address=<MAC address>
     Matches the specified filter against both source and destination
     MAC addresses.
    e.g. Ethernet.Address=00-0D-56-1F-73-64

    Ethernet.SourceAddress=<MAC address>
     Matches the specified filter against source MAC addresses.
    e.g. Ethernet.SourceAddress=00-0D-56-1F-73-64

    Ethernet.DestinationAddress=<MAC address>
     Matches the specified filter against destination MAC addresses.
    e.g. Ethernet.DestinationAddress=00-0D-56-1F-73-64

    Ethernet.Type=<ethertype>
     Matches the specified filter against the MAC ethertype.
    e.g. Ethernet.Type=IPv4
    e.g. Ethernet.Type=NOT(0x86DD)
    e.g. Ethernet.Type=(IPv4,IPv6)

    Wifi.Type=<Management|Data>
     Matches the specified filter against the Wifi type. Allowed values
     are ‘Management’ and ‘Data’. If not specified, the Wifi.Type filter
     is not applied.
     Note: This capture filter does not support ranges, lists or negation.
    e.g. Wifi.Type=Management

    Protocol=<protocol>
     Matches the specified filter against the IP protocol.
    e.g. Protocol=6
    e.g. Protocol=!(TCP,UDP)
    e.g. Protocol=(4-10)

    IPv4.Address=<IPv4 address>
     Matches the specified filter against both source and destination
     IPv4 addresses.
    e.g. IPv4.Address=157.59.136.1
    e.g. IPv4.Address=!(157.59.136.1)
    e.g. IPv4.Address=(157.59.136.1,157.59.136.11)

    IPv4.SourceAddress=<IPv4 address>
     Matches the specified filter against source IPv4 addresses.
    e.g. IPv4.SourceAddress=157.59.136.1

    IPv4.DestinationAddress=<IPv4 address>
     Matches the specified filter against destination IPv4 addresses.
    e.g. IPv4.DestinationAddress=157.59.136.1

    IPv6.Address=<IPv6 address>
     Matches the specified filter against both source and destination
     IPv6 addresses.
    e.g. IPv6.Address=fe80::5038:3c4:35de:f4c3\%8
    e.g. IPv6.Address=!(fe80::5038:3c4:35de:f4c3\%8)

    IPv6.SourceAddress=<IPv6 address>
     Matches the specified filter against source IPv6 addresses.
    e.g. IPv6.SourceAddress=fe80::5038:3c4:35de:f4c3\%8

    IPv6.DestinationAddress=<IPv6 address>
     Matches the specified filter against destination IPv6 addresses.
    e.g. IPv6.DestinationAddress=fe80::5038:3c4:35de:f4c3\%8

    CustomMac=<type(offset,value)>
     Matches the specified filter against the value at the specified
     offset starting with the MAC header.
     Note: This capture filter does not support ranges, lists or negation.
    e.g. CustomMac=UINT8(0x1,0x23)
    e.g. CustomMac=ASCIISTRING(3,test)
    e.g. CustomMac=UNICODESTRING(2,test)

    CustomIp=<type(offset,value)>
     Matches the specified filter against the value at the specified
     offset starting with the IP header.
     Note: This capture filter does not support ranges, lists or negation.
    e.g. CustomIp=UINT16(4,0×3201)
    e.g. CustomIp=UINT32(0x2,18932)

    CaptureMultiLayer=<yes|no>
     Enables multi-layer packet capture.
     Note: This capture filter does not support ranges, lists or negation.

    PacketTruncateBytes=<value>
     Captures only the the specified number of bytes of each packet.
     Note: This capture filter does not support ranges, lists or negation.
    e.g. PacketTruncateBytes=40

Note:
    Multiple filters may be used together. However the same filter may
    not be repeated.
    e.g. ‘netsh trace start capture=yes Ethernet.Type=IPv4
          IPv4.Address=157.59.136.1′
 
    Filters need to be explicitly stated when required. If a filter is
    not specified, it is treated as “don’t-care”.
     e.g. ‘netsh trace start capture=yes IPv4.SourceAddress=157.59.136.1’
          This will capture IPv4 packets only from 157.59.136.1, and it
          will also capture packets with non-IPv4 Ethernet Types, since
          the Ethernet.Type filter is not explicitly specified.
     e.g. ‘netsh trace start capture=yes IPv4.SourceAddress=157.59.136.1
           Ethernet.Type=IPv4′
          This will capture IPv4 packets only from 157.59.136.1. Packets
          with other Ethernet Types will be discarded since an explicit
          filter has been specified.
 
    Capture filters support ranges, lists and negation (unless stated
    otherwise).
     e.g. Range: ‘netsh trace start capture=yes Ethernet.Type=IPv4
                  Protocol=(4-10)’
          This will capture IPv4 packets with protocols between 4 and 10
          inclusive.
     e.g. List: ‘netsh trace start capture=yes Ethernet.Type=(IPv4,IPv6)’
          This will capture only IPv4 and IPv6 packets.
     e.g. Negation: ‘netsh trace start capture=yes Ethernet.Type=!IPv4’
          This will capture all non-IPv4 packets.
 
    Negation may be combined with lists in some cases.
     e.g. ‘netsh trace start capture=yes Ethernet.Type=!(IPv4,IPv6)’
           This will capture all non-IPv4 and non-IPv6 packets.
 
    ‘NOT’ can be used instead of ‘!’ to indicate negation. This requires
    parentheses to be present around the values to be negated.
     e.g. ‘netsh trace start capture=yes Ethernet.Type=NOT(IPv4)’

 

The level= option is not documented in the netsh command line help, but is documented here http://msdn.microsoft.com/en-us/library/windows/desktop/dd569142(v=vs.85).aspx

The levels are from 1-5

• 1 – Critical – Only critical events will be shown.
• 2 – Errors – Critical events and errors will be shown.
• 3 –Warnings – Critical events, errors, and warnings will be shown.
• 4 –Informational – Critical events, errors, warnings, and informational events will be shown.
• 5 – Verbose – All events will be shown.

Finally some tips for your monitoring:

• If network monitoring Outlook traffic disable encryption for period of monitoring (During this period someone with network access between you and exchange server can potentially monitor what your emails that are sent/received/etc)
• If monitoring http/https traffic please consider using Fiddler2 (http://www.fiddler2.com)
• When installing Microsoft Network Monitor (http://www.microsoft.com/download/en/details.aspx?id=4865) always install afterwards the latest parsers from http://nmparsers.codeplex.com/
• Viewing .ETL packet captures in network monitor you must set Windows parser. This is in Microsoft Network Monitor’s Tools | Options menu

Enjoy NetSh Trace. Let me know your NetSh success stories!