Friday, February 6, 2015

Using NetSh to Capture Network Traces



Scenario


You have a client / server application that appears is running slowly and you suspect the issue is network related.  You want to capture a network trace from the client and the server at the same time, but you don't want to install Wireshark or Network Monitor on either machine.

Netsh Trace


In the above scenario, it is important to get a simultaneous network trace from the client and the server while the problem is occurring. Open an administrative command prompt on both the client and on the server.  Enter the following command into both prompts:

netsh trace start capture=yes

Then launch the application to reproduce the slowness,  If it takes a long time for the application to launch, then continue to capture until the application is fully launched.  If some functionality within the application is slow, then be sure to capture the entire period of slowness in your trace.

Once you have gathered the data you need, use the following command to stop the trace:

netsh trace stop

Your command line should look like the above command line.  Notice that, by default, the max size of the trace file will be 250MB, that it is a circular (will overwrite the oldest data once the file size reaches 250MB), and you can see that it will show you the path were the .etl trace will be stored.

Notice that the file has an .etl extension.  You might be thinking "Hey wait, shouldn't it be a .cap file? After all, when you capture a netmon trace, you save it as a .cap file.  You can open this .etl file in Microsoft Network Monitor.

When you open the .etl file with Network Monitor, you will need to set your parser profile to "Windows".  You do this by going to Tools > Options.  Under the Parser Profile tab, click on the Windows package and then click Set as Active.



If you go the location where your .etl file is stored, you will notice two files.  You will have the .etl file, but you also have a .cab file. Now this is the crazy awesome part! That .cab file has all sorts of useful information in addition to your network trace!


When you extract the .cab file you get the following information about the machine that the trace was run on:


If you just run a network trace, you usually have to make sure you gather additional information like the IP address of the machine.  When you run this trace, you have so much more than a simple network trace.

Now the command I gave above is as basic as you can get for a network trace using netsh.  There are tons of way to customize your trace.  You can truncate the byte size to make your capture smaller. You can change the max size of the .etl file and store it wherever you want.  You can tell netsh that you want to capture on physical network adapters only, etc. etc. etc...

A couple traces that I have used frequently are as follows:

Examples

netsh trace start capture=yes packettruncatebytes=512 tracefile=%temp%\%computername%_nettrace.etl maxsize=200 filemode=circular overwrite=yes report=no

netsh trace start scenario=netconnection persistent=yes fileMode=circular maxsize=512 tracefile=c:\temp\traceinfo.etl capture=yes

Basic Trace Commands

C:\windows\system32>netsh trace /?
The following commands are available:
Commands in this context:
?              - Displays a list of commands.
convert        - Converts a trace file to an HTML report.
correlate      - Normalizes or filters a trace file to a new output file.
diagnose       - Start a diagnose session.
dump           - Displays a configuration script.
help           - Displays a list of commands.
merge          - Merges trace files and adds symbols metadata.
show           - List interfaces, providers and tracing state.
start          - Starts tracing.
stop           - Stops tracing.

C:\windows\system32>netsh trace start /?
start
  Starts tracing.
  Usage: trace start [[scenario=]<scenario1,scenario2>]
        [[globalKeywords=]keywords] [[globalLevel=]level]
        [[capture=]yes|no] [[capturetype=]physical|vmswitch|both]
        [[report=]yes|no|disabled] [[persistent=]yes|no]
        [[traceFile=]path\filename] [[maxSize=]filemaxsize]
        [[fileMode=]single|circular|append] [[overwrite=]yes|no]
        [[correlation=]yes|no|disabled] [capturefilters]
        [[provider=]providerIdOrName] [[keywords=]keywordMaskOrSet]
        [[level=]level]
        [[[provider=]provider2IdOrName] [[providerFilter=]yes|no]]
        [[keywords=]keyword2MaskOrSet] [[perfMerge=]yes|no]
        [[level=]level2] ...
Defaults:
        capture=no (specifies whether packet capture is enabled
                in addition to trace events)
        capturetype=physical (specifies whether packet capture needs to be
                enabled for physical network adapters only, virtual switch
                only, or both physical network adapters and virtual switch)
        report=no (specifies whether a complementing report will be generated
                along with the trace file)
        persistent=no (specifies whether the tracing session continues
                across reboots, and is on until netsh trace stop is issued)
        maxSize=250 MB (specifies the maximum trace file size, 0=no maximum)
        fileMode=circular
        overwrite=yes (specifies whether an existing trace output file will
                be overwritten)
        correlation=yes (specifies whether related events will be correlated
                and grouped together)
        perfMerge=yes (specifies whether performance metadata is merged
                into trace)
        traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl
                (specifies location of the output file)
        providerFilter=no (specifies whether provider filter is enabled)
Provider keywords default to all and level to 255 unless otherwise specified.

The help will give you examples for scenario based traces as well.  For a more in depth description of the netsh trace functionality, go here: https://technet.microsoft.com/en-us/library/dd878517(v=ws.10).aspx

1 comment:

  1. What would you do not to overwrite existing capture so basically to end up with a couple of contiguous captures of a defined size?

    ReplyDelete