netsh wlan set tracing mode=yes
netsh wlan set tracing mode=noOnce a trace has been completed, a report is compiled at C:\windows\tracing\wireless and viewable in the Windows performance monitor.
There are two options in PerfView to collect network traces next to the usual trace: NetMon and Net Capture:
I recommend checking the NetMon option as it will generate a seperate .etl file containing just the network traces. We may later open this file in Message Analyzer and analyze the collected data.
Starting from Windows 7 (2008 Server) you don't need to install anything (such as WinPcap or Network Monitor) on the server to collect network traces. You can simply use netsh trace {start|stop} command which will create an ETW session with the interesting ETW providers enabled. Few diagnostics scenarios are available and you may list them using netsh trace show scenarios:
PS Temp> netsh trace show scenarios
Available scenarios (18):
-------------------------------------------------------------------
AddressAcquisition : Troubleshoot address acquisition-related issues
DirectAccess : Troubleshoot DirectAccess related issues
FileSharing : Troubleshoot common file and printer sharing problems
InternetClient : Diagnose web connectivity issues
InternetServer : Set of HTTP service counters
L2SEC : Troubleshoot layer 2 authentication related issues
LAN : Troubleshoot wired LAN related issues
Layer2 : Troubleshoot layer 2 connectivity related issues
MBN : Troubleshoot mobile broadband related issues
NDIS : Troubleshoot network adapter related issues
NetConnection : Troubleshoot issues with network connections
P2P-Grouping : Troubleshoot Peer-to-Peer Grouping related issues
P2P-PNRP : Troubleshoot Peer Name Resolution Protocol (PNRP) related issues
RemoteAssistance : Troubleshoot Windows Remote Assistance related issues
Virtualization : Troubleshoot network connectivity issues in virtualization environment
WCN : Troubleshoot Windows Connect Now related issues
WFP-IPsec : Troubleshoot Windows Filtering Platform and IPsec related issues
WLAN : Troubleshoot wireless LAN related issuesNOTE: For DHCP traces you may check netsh dhcpclient trace ... commands. Also LAN and WLAN modes have some tracing capabilities which you may enable with a command netsh (w)lan set tracing mode=yes and stop with a command netsh (w)lan set tracing mode=no
To know exactly which providers are enabled in each scenario use netsh trace show scenario {scenarioname}. After choosing the right scenario for your diagnosing case start the trace with a command:
netsh trace start scenario={yourscenario} capture=yes correlation=no report=no tracefile={the-output-etl-file}
Example:
netsh trace start scenario=internetclient capture=yes correlation=no report=no tracefile=d:\temp\net.etl
After some time (or after performing the faulty network operation) stop the trace with a command:
netsh trace stopA new .etl file should be created in the output directory (as well as a .cab file with some interesting system logs). Some ETW providers do not generate information about the processes related to the specific events (for instance WFP provider) - keep this in mind when choosing your own set.
Many interesting capture filters are available, you may use netsh trace show CaptureFilterHelp to list them. Most interesting include CaptureInterface, Protocol, Ethernet., IPv4. and IPv6. options set, example:
netsh trace start scenario=InternetClient capture=yes CaptureInterface="Local Area Connection 2" Protocol=TCP Ethernet.Type=IPv4 IPv4.Address=157.59.136.1 maxSize=250 fileMode=circular overwrite=yes traceFile=c:\temp\nettrace.etl
netsh trace stop
When we have an .etl file with network trace it's time to analyze it. You can open it in Message Analyzer, though Message Analyzer consumes a lot of memory to process the .etl file and it just won't work for bigger trace files. That's why I usually prefer to convert the .etl file to the .cap format and perform all analysis in Wireshark. Message Analyzer comes with a very interesting Powershell module named PEF which is a command line interface for this application. To create the .cap file from the .etl file call:
New-PefTraceSession -Path {full-path-to-the-cap-file} -SaveOnStop | Add-PefMessageProvider -Source {full-path-to-the-etl-file} | Start-PefTraceSessionI created also a function which you may add to your Powershell profile:
function ConvertFrom-EtlToCap([Parameter(Mandatory=$True)][String]$EtlFilePath, [String]$CapFilePath) {
$EtlFilePath = Resolve-Path $EtlFilePath
if ([String]::IsNullOrEmpty($CapFilePath)) {
$CapFilePath = $EtlFilePath.Substring(0, $EtlFilePath.Length - 3) + 'cap'
}
New-PefTraceSession -Path $CapFilePath -SaveOnStop | Add-PefMessageProvider -Source $EtlFilePath | Start-PefTraceSession
}Procmon network tracing does not collect data sent or received but it will reveal all the network connections opened by processes in the system.
PsPing (a part of Sysinternals toolkit) has few interesting options when it comes to diagnosing network connectivity issues. The simplest usage is just a replacement for a ping.exe tool (performs ICMP ping):
> psping www.google.com
By adding a port number at the end of the host we will measure a TCP handshake (or discover a closed port on the remote host):
> psping www.google.com:80
To test UDP add -u option on the command line.
We need to run a PsPing in a server mode on the other side (-f for creating a temporary exception in the Windows Firewall, -s to enable server listening mode):
> psping -f -s 192.168.1.3:4000
Then we start the client and perform the test:
> psping -l 16k -n 100 192.168.1.3:4000
We need to run a PsPing in a server mode on the other side (-f for creating a temporary exception in the Windows Firewall, -s to enable server listening mode):
> psping -f -s 192.168.1.3:4000
Then we start the client and perform the test:
> psping -b -l 16k -n 100 192.168.1.3:4000