Netsh Commands for Windows Filtering Platform (WFP) in Windows Server 2008 R2

  • Article

Applies To: Windows 7, Windows Server 2008 R2

The Netsh commands for the Windows Filtering Platform (WFP) enable you to perform diagnostics that support Windows Firewall and IPsec. Its primary use is to capture diagnostic data while you reproduce a problem. The tool then exports the collected data into an XML file that you can examine for clues to the cause of the problem. To view the capture file, you must have an XML file viewer or editor. Many good ones are available as free downloads from the Internet. The .xml output file can become very large, easily greater than 20 megabytes, so be sure to use a program that can handle a file of that size.

By default, the netsh wfp capture command discussed later in this reference produces a .cab file that contains two output files. One is the .xml file that you can review for information about your IPsec connections and any failures that have occurred. The other file is an .etl file, and is not directly usable by an administrator. The .etl file can be provided to Microsoft Customer Support Services if requested, and can be used by Microsoft’s support engineers to assist in troubleshooting.

The netsh wfp context does not have an equivalent in the Windows Firewall with Advanced Security MMC snap-in.

Note

The netsh wfp context and all of its commands are supported on computers that are running Windows 7 or Windows Server 2008 R2 only.
For computers that are running earlier versions of Windows, you can download the Microsoft IPsec Diagnostic Tool (https://go.microsoft.com/fwlink/?linkid=148386) from the Microsoft Web site. This tool provides some of the same functionality in a form that is compatible with older versions of Windows.

The following commands are available at the netsh wfp > prompt.

For these commands to work at a standard Windows command prompt, you must preface each command with netsh wfp, followed by the specific command and parameters as they appear in the syntax below.

Note

If User Account Control is enabled on your computer and you want to run any netsh wfp command that changes the WFP configuration, you must run the command from a command prompt that was started with the Run as administrator option. If you try to change the WFP state without having administrator permissions available to the command-line tool, it fails with the message "The requested operation requires elevation."

For more information about netsh, see Netsh Overview and Enter a Netsh Context.

Netsh wfp

The following sections describe each command and its syntax.

  • capture

  • dump

  • Set options

  • show

capture

The capture command allows you to start, stop, or check on the status of a capture session. The XML output file produced by the capture session can be used to diagnose problems with IPsec protected communications between two computers.

The capture command supports the following options:

  • capture start

  • capture status

  • capture stop

capture start

Begins a WFP diagnostics capture session. Once you start a capture session, diagnostic information continues to be added to the output file until you enter the command capture stop.

Syntax

Capture start

cab = { on | off } ]

traceonly = { on | off } ]

keywords = { none | bcast | mcast | bcast+mcast } ]

file = PathAndFilename ]

Parameters

  • cab = { on | off }
    Specifies whether the .xml and .etl output files are compressed into a .cab file after the capture session is completed. The default value is on. If cab=off, then the output files are placed in the output folder without being compressed into a .cab file.
  • traceonly = { on | off }
    Specifies that only event tracing data is included in the output files, which reduces the output file size. The default value is off.
  • keywords = { none | bcast | mcast | bcast+mcast } ]
    Specifies the kinds of network traffic events to include in the output files. Unicast network traffic is always included. None specifies to include only unicast network traffic events, which can reduce the output file size on long running capture sessions. Bcast specifies to also include broadcast network traffic events. Mcast specifies to also include multicast network traffic events. Bcast+mcast, the default value, species to include both multicast and broadcast network traffic events, in addition to unicast network traffic events.
  • file = PathAndFilename
    Specifies where the output files are written. Do not include an extension. If cab=on, then the filename specified at the end of the parameter is used to name a single output file that has the .cab extension automatically added. If cab=off, then two output files are created and named according to the filename specified at the end of the parameter. The files are given the extensions .etl and .xml.

capture status

The capture status command takes no parameters. It tells you whether a capture session is currently active.

capture stop

The capture stop command takes no parameters. It stops a capture session that was previously started by using the capture start command. The output files are closed, and if the cab=yes option was specified on the start command, then the two output files are compressed and moved into a cab file that is named and stored in the folder specified by the file parameter of the start command.

dump

Important

This command is available for some netsh contexts, but is not implemented for the netsh wfp context. It produces no output, but also generates no error. When the dump command is used from the root context, no WFP configuration information is included in the output.

Set options

The set command has only one option, set options. This command enables you to configure options for the capture engine.

Syntax

set options

netevents = { on | off } ]

keywords = { none | bcast | mcast | bcast+mcast } ]

Parameters

  • netevents = { on | off }
    Specifies whether network events are buffered for inclusion in the diagnostics output files. The default value is on. This value is persistent.
  • keywords = { none | bcast | mcast | bcast+mcast } ]
    Specifies the kinds of network traffic events to include in the output files. This value is persistent, and sets the default value for all following capture sessions. Unicast network traffic is always included. None specifies to include only unicast network traffic events, which can reduce the output file size on long running capture sessions. Bcast specifies to also include broadcast network traffic events. Mcast specifies to also include multicast network traffic events. Bcast+mcast, the default value, species to include both multicast and broadcast network traffic events, in addition to unicast network traffic events.

show

The show command displays information about the current WFP configuration, current filters, network events, and the firewall configuration that exists when the operating system first starts.

The show command supports the following options:

  • show appid

  • show boottimepolicy

  • show filters

  • show netevents

  • show options

  • show security

  • show state

  • show sysports

show appid

Displays the device-based application path for a file. The path must already exist.

Syntax

show appid

file = ] PathAndFileName

Parameters

  • file = PathAndFilename
    Specifies the file path using the standard DriveLetter**:\**FolderPath syntax.

show boottimepolicy

The show boottimepolicy command displays the WFP policy and filters that are in effect when the computer first starts, before the Windows Firewall with Advanced Security services are loaded. Output can be written to an XML file on disk, or to the console.

Syntax

show boottimepolicy

[ [ file = ] { PathAndFileName | - } ]

Parameters

  • file = { PathAndFilename | - }
    Specifies the file to which the output is written. If you do not specify a file name, then the output is written to the file btpol.xml. If you specify file=-, then the output is written only to the console.

show filters

The show filters command displays the currently active WFP filters. You can include parameters to limit the output to only those filters that match the specified criteria. Output can be written to an XML file on disk, or to the console.

Syntax

show filters

[ [ file = ] { PathAndFileName | - } ]

[ [ protocol = ] IPProtocolNumber ]

[ [ localaddr = ] IPv4orIPv6Address ]

[ [ remoteaddr = ] IPv4orIPv6Address ]

[ [ localport = ] PortNumber ]

[ [ remoteport = ] PortNumber ]

[ [ appid = ] PathAndFileName ]

[ [ userid = ] SIDorUserName ]

[ [ dir = ] { in | out } ]

[ [ verbose = ] { on | off } ]

Parameters

  • file = ] { PathAndFilename | - }
    Specifies the file to which the output is written. If you do not specify a file name, then the output is written to the file filters.xml. If you specify file=-, then the output is written only to the console.
  • protocol = ] IPProtocolNumber
    Displays only filters that allow or block network traffic based on the specified IP protocol number. The parameter must be an integer.
  • localaddr = ] IPv4orIPv6Address
    Displays only filters that allow or block network traffic based on the specified local IPv4 or IPv6 address.
  • remoteaddr = ] IPv4orIPv6Address
    Displays only filters that allow or block network traffic based on the specified remote IPv4 or IPv6 address.
  • localport = ] PortNumber
    Displays only filters that allow or block network traffic based on the specified local TCP or UDP port number. The parameter must be an integer.
  • remoteport = ] PortNumber
    Displays only filters that allow or block network traffic based on the specified remote TCP or UDP port number. The parameter must be an integer.
  • appid = ] PathAndFileName
    Displays only filters that allow or block network traffic based on the specified program. The path can be in format of DriveLetter**:\Path\**FileName or device-based, as shown in the output of the show appid command.
  • userid = ] { SID | UserName}
    Displays only filters that allow or block network traffic based on the identity of the user sending or receiving the traffic on the local computer. The user identity can be specified by user name, in DomainName**\**UserName format, or by security identifier (SID).
  • dir = ] { in | out }
    Displays only filters that allow or block network traffic based on the direction of the network traffic being filtered, either inbound or outbound.
  • verbose = ] { on | off }
    Specifies whether to display all filters that match the other criteria. Off is the default value. If verbose=off, then the command suppresses matching filters that are unlikely to affect connectivity. If verbose=on, then all rules that match the specified criteria are displayed.

show netevents

The show netevents command displays the list of network traffic events. You can include parameters to limit the output to only those events that match the specified criteria. Output can be written to an XML file on disk, or to the console.

Syntax

show netevents

[ [ file = ] { PathAndFileName | - } ]

[ [ protocol = ] IPProtocolNumber ]

[ [ localaddr = ] IPv4orIPv6Address ]

[ [ remoteaddr = ] IPv4orIPv6Address ]

[ [ localport = ] PortNumber ]

[ [ remoteport = ] PortNumber ]

[ [ appid = ] PathAndFileName ]

[ [ userid = ] SIDorUserName ]

[ [ timewindow = ] Seconds ]

Parameters

  • file = ] { PathAndFilename | - }
    Specifies the file to which the output is written. If you do not specify a file name, then the output is written to the file netevents.xml. If you specify file=-, then the output is written only to the console.
  • protocol = ] IPProtocolNumber
    Displays only events for network traffic matching the specified IP protocol number. The parameter must be an integer.
  • localaddr = ] IPv4orIPv6Address
    Displays only events for network traffic matching the specified local IPv4 or IPv6 address.
  • remoteaddr = ] IPv4orIPv6Address
    Displays only events for network traffic matching the specified remote IPv4 or IPv6 address.
  • localport = ] PortNumber
    Displays only events for network traffic matching the specified local TCP or UDP port number. The parameter must be an integer.
  • remoteport = ] PortNumber
    Displays only events for network traffic matching the specified remote TCP or UDP port number. The parameter must be an integer.
  • appid = ] PathAndFileName
    Displays only events for network traffic matching the specified program. The path can be in format of DriveLetter**:\Path\**FileName or device-based, as shown in the output of the show appid command.
  • userid = ] { SID | UserName}
    Displays only events for network traffic sent or received on the local computer by specified user. The user identity can be specified by user name, in DomainName**\**UserName format, or by security identifier (SID).
  • timewindow = ] Seconds
    Displays only events for network traffic that occurred within the immediately previous specified number of seconds. The parameter must be an integer.

show options

The show options command displays the setting of the netevents or keywords options, as configured by the Set options command. You can only specify one option at a time.

Syntax

show options

optionsfor = ] { netevents | keywords }

Parameters

  • optionsfor = ] { netevents | keywords }
    Specifies which option to display. For more information about the options, see Set options.

show security

The show security command displays the security descriptor of the specified item.

Syntax

show security

type = ] { callout | engine | filter | kesadb | ipsecsadb | layer | netevents | provider | providercontext | sublayer }

guid = ] GUID

Parameters

  • type = ] { callout | engine | filter | kesadb | ipsecsadb | layer | netevents | provider | providercontext | sublayer }
    Specifies the object type container for which to display the security descriptor. For objects that support per-object descriptors, specify the GUID of the object instance that you want to see.
  • guid = ] GUID
    Specifies the globally unique identifier (GUID) for a specific object instance of the specified type container.

show state

The show state command displays the current operational state of the WFP and IPsec. Output can be written to an XML file on disk, or to the console. The output includes lists of all of the current IPsec security associations and the authentication and encryption options that were negotiated for them, IPsec statistics, .

The output of this command is similar to the initialState and finalState sections of the main diagnostic output file created by the capture command.

Syntax

show state

[ [ file = ] { PathAndFileName | - } ]

Parameters

  • file = { PathAndFilename | - }
    Specifies the file to which the output is written. If you do not specify a file name, then the output is written to the file wfpstate.xml. If you specify file=-, then the output is written only to the console.

show sysports

The show sysports command displays the TCP and UDP ports currently used by the TCP/IP protocol stack itself, and the remote procedure call (RPC) subsystem. Output can be written to an XML file on disk, or to the console.

Syntax

show sysports

[ [ file = ] { PathAndFileName | - } ]

Parameters

  • file = { PathAndFilename | - }
    Specifies the file to which the output is written. If you do not specify a file name, then the output is written to the file sysports.xml. If you specify file=-, then the output is written only to the console.