Export (0) Print
Expand All

Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7

Published: June 28, 2009

Updated: May 8, 2010

Applies To: Windows 7, Windows Server 2008 R2

On computers running Windows Server® 2008 R2 and Windows® 7, you can use the Netsh Trace context from a command prompt to enable and configure network tracing to assist you when troubleshooting network connectivity problems.

This section provides an overview of Netsh trace usage.

noteNote
The examples in this section, Using Netsh trace commands, are documented as if you have entered the Netsh trace context. If you have not already entered the Netsh trace context, you can run these commands from the command prompt by prepending Netsh trace to each example.

The Netsh trace context contains predefined sets of trace providers, known as scenarios, which you can enable for troubleshooting. To view a complete list of scenarios and a brief description of each scenario’s purpose, type show scenarios.

Following is an example of the results that are rendered by running the Netsh trace show scenarios command:

netsh trace>show scenarios

Available scenarios (13):
-------------------------------------------------------------------
AddressAcquisition       : Troubleshoot address acquisition-related issues
DirectAccess             : Troubleshoot DirectAccess related issues
FileSharing              : Troubleshoot common file and printer sharing problems
InternetClient           : Diagnose web connectivity issues
InternetServer           : Troubleshoot server-side web connectivity issues
L2SEC                    : Troubleshoot layer 2 authentication related issues
LAN                      : Troubleshoot wired LAN related issues
Layer2                   : Troubleshoot layer 2 connectivity related issues
NDIS                     : Troubleshoot network adapter related issues
NetConnection            : Troubleshoot issues with network connections
RPC                      : Troubleshoot issues related to RPC framework
WFP-IPsec                : Troubleshoot Windows Filtering Platform and IPsec related issues
WLAN                     : Troubleshoot wireless LAN related issues

netsh trace>

When you have identified the scenario that appears to be most relevant to your issues, you can see a list of all of the providers included in that scenario. For example, to see all of the providers enabled under the LAN scenario, type show scenario lan.

Following is an example of the results that are rendered by running the Netsh trace show scenario lan command:

netsh trace>show scenario lan

Description: Troubleshoot wired LAN related issues

Providers
---------

Provider:
Name:               Microsoft-Windows-L2NACP
Provider Guid:      {85FE7609-FF4A-48E9-9D50-12918E43E1DA}
Default Level:      4 (win:Informational)
Default Keywords:   0x0

Provider:
Name:               Microsoft-Windows-Wired-AutoConfig
Provider Guid:      {B92CF7FD-DC10-4C6B-A72D-1613BF25E597}
Default Level:      4 (win:Informational)
Default Keywords:   0x0

Provider:
Name:               Microsoft-Windows-NDIS
Provider Guid:      {CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}
Default Level:      4 (win:Informational)
Default Keywords:   0x0

Provider:
Name:               Microsoft-Windows-EapHost
Provider Guid:      {6EB8DB94-FE96-443F-A366-5FE0CEE7FB1C}
Default Level:      4 (win:Informational)
Default Keywords:   0x0

Provider:
Name:               Microsoft-Windows-OneX
Provider Guid:      {AB0D8EF9-866D-4D39-B83F-453F3B8F6325}
Default Level:      4 (win:Informational)
Default Keywords:   0x0

netsh trace>

To obtain a complete list of providers, you can type show providers from within the Netsh trace context. The show providers command lists – by name and GUID - every available provider, including providers that are not relevant to networking.

Following is a short excerpt of the list of providers that are rendered as a result of running the show providers command:

{0F67E49F-FE51-4E9F-B490-6F2948CC6027}  Microsoft-Windows-Kernel-Processor-Power
{122EE297-BB47-41AE-B265-1CA8D1886D40}  Microsoft-Windows-LoadPerf
{127E0DC5-E13B-4935-985E-78FD508B1D80}  Microsoft-Windows-TerminalServices-RdpSoundDriver
{134EA407-755D-4A93-B8A6-F290CD155023}  Microsoft-Windows-HomeGroup-ControlPanel
{13B197BD-7CEE-4B4E-8DD0-59314CE374CE}  Microsoft-Windows-Perflib
{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}  Microsoft-Windows-WMI-Activity
{155CB334-3D7F-4FF1-B107-DF8AFC3C0363}  Microsoft-Windows-MSDTC Client 2
{15A7A4F8-0072-4EAB-ABAD-F98A4D666AED}  Microsoft-Windows-Dhcp-Client
{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}  Microsoft-Windows-Kernel-Boot
{17D6E590-F5FE-11DC-95FF-0800200C9A66}  Microsoft-Windows-ApplicationExperience-SwitchBack
{17E92E2A-3D08-413E-BAEB-A79A262BF486}  Microsoft-Windows-MsiServer
{17F14A23-551D-40CC-A086-E4194D64ED4C}  Microsoft-Windows-WABSyncProvider
{18F4A5FD-FD3B-40A5-8FC2-E5D261C5D02E}  Microsoft-Windows-ApplicationExperience-LookupServiceTrigger
{192EDE41-9175-4C86-AC02-9D003C9D43AB}  Microsoft-Windows-DisplaySwitch
{199FE037-2B82-40A9-82AC-E1D46C792B99}  LsaSrv

You can obtain details about a specific provider by typing show provider followed by the provider name. For example, to see details about the Microsoft-Windows-Dhcp-Client provider, type show provider name=Microsoft-windows-dhcp-client.

Following is an example of the results that are rendered by running the show provider name=Microsoft-windows-dhcp-client command:

netsh trace>show provider name=Microsoft-windows-dhcp-client

Name:          Microsoft-Windows-Dhcp-Client
Provider Guid: {15A7A4F8-0072-4EAB-ABAD-F98A4D666AED}

Levels (value) - 3 element(s)
-------------------------------------------------------------------
win:Error (2)
win:Warning (3)
win:Informational (4)

Keywords (mask) - 4 element(s)
-------------------------------------------------------------------
win:ResponseTime (0x1000000000000)
Microsoft-Windows-Dhcp-Client/Operational (0x8000000000000000)
Microsoft-Windows-Dhcp-Client/Admin (0x4000000000000000)
System (0x2000000000000000)

netsh trace>

When troubleshooting, it is frequently beneficial to target tracing results by limiting irrelevant tracing details. For example, if you are running traces over an extended period of time, or if you are running tracing scenarios in which multiple providers are enabled, the resulting ETL trace file can become very large. If the ETL trace file becomes too large, the ETW buffer constraints may cause some traces to be dropped. Additionally, reducing the amount of data in the ETL trace file can simplify troubleshooting by reducing the amount of data to review.

You can use Netsh trace filters to reduce the ETL trace file size. The trace filters that you can apply to individual providers are:

  • ETW levels

  • ETW keywords

The Netsh trace context also supports packet filtering capability that is similar to Network Monitor. See the Remarks section within the Netsh trace start command section in this topic for information about trace packet filter parameters and usage.

To see a list of filters which can be applied, type show CaptureFilterHelp.

The following example is an excerpt of the filter information that is displayed by running the show CaptureFilterHelp command.

netsh trace>show capturefilterhelp

  Capture Filters:
        Capture filters are only supported when capture is explicitly
        enabled with capture=yes. Supported capture filters are:

        CaptureInterface=<interface name or GUID>
         Enables packet capture for the specified interface name or GUID. Use
         'netsh trace show interfaces' to list available interfaces.
        e.g. CaptureInterface={716A7812-4AEE-4545-9D00-C10EFD223551}
        e.g. CaptureInterface=!{716A7812-4AEE-4545-9D00-C10EFD223551}
        e.g. CaptureInterface="Local Area Connection"

        Ethernet.Address=<MAC address>
         Matches the specified filter against both source and destination
         MAC addresses.
        e.g. Ethernet.Address=00-0D-56-1F-73-64
        
         Wifi.Type=<Management|Data>
         Matches the specified filter against the Wifi type. Allowed values
         are 'Management' and 'Data'. If not specified, the Wifi.Type filter
         is not applied.
         Note: This capture filter does not support ranges, lists or negation.
        e.g. Wifi.Type=Management

        Protocol=<protocol>
         Matches the specified filter against the IP protocol.
        e.g. Protocol=6
        e.g. Protocol=!(TCP,UDP)
        e.g. Protocol=(4-10)
netsh trace>

Following is an example start command for Netsh trace that includes filter parameters.

  • start InternetClient provider=Microsoft-Windows-TCPIP level=5 keywords=ut:ReceivePath,ut:SendPath

In this example, the level is set to 5, which means that 5 events is the maximum number of events that will be shown. The keywords ut:ReceivePath and ut:SentPath filter the events to show only the events that are traced on the receive or send path.

noteNote
255 is the maximum that is supported by ETW. ETW maximums can vary by provider, within the range of 0 – 255. In the example, the value of 5 is the highest level supported by Microsoft-Windows-TCPIP.

See the Remarks section within the Netsh trace start command in this topic for additional details concerning trace filter parameters and usage.

You can start a trace for all of the providers in a given scenario. For example, to start a trace for all of the providers enabled under the InternetClient scenario, type start scenario=internetclient. You can also start a trace for additional providers not included in that particular scenario. For example, you might want to start traces for all of the providers enabled under the WLAN scenario and also for the DHCP provider. To do this, you can type start scenario=wlan provider=Microsoft-Windows-Dhcp-Client.

To stop tracing, type stop from within the Netsh trace context.

When tracing is stopped, two files are generated by default:

  • An Event Trace Log (ETL) file. The ETL file collects trace events, which can be viewed using tools such as Network Monitor. By default, the ETL is saved as nettrace.etl.

    noteNote
    You can specify a different name by including the tracefile=FileName.etl parameter when starting the trace, where FileName is the name you specify for the saved .etl file.

  • A .cab file. The .cab file contains detailed information about the software and hardware on the system, such as the adapter information, build, operating system, and wireless settings. By default, the .cab file will be named nettrace.cab by default, unless another name was specified as indicated above. The .cab file will contain two files, which will always be named as follows:

    • Report.etl. Report.etl is a duplicate copy of the information included in nettrace.etl.

    • Report.html. The report.html file includes additional information about the trace events, as well as other information that was collected by trace.

      TipTip
      To receive the most detailed information, include the command parameter report=yes when starting a trace.

This section provides usage details for commands in the Netsh trace context.

Converts a trace file in ETL format into the specified format.

convert input= Tracefilename.etl [[output=]FileName] [[dump=]{csv|xml|evtx|txt|no}] [[report=]{yes|no}] [[overwrite=]{yes|no}] [[tmfpath=]PathAndFileName]

input
Required. Specifies the input ETL trace file.

output
Optional. Specifies the name of the converted file. If unspecified, the output file name defaults to the input name.

dump
Optional. Specifies the file format of the converted trace file: .CSV .XML .EVTX .TXT No. If unspecified, the converted file output defaults to .txt.

Report
Optional. Specifies whether to generate an HTML report. If unspecified, the parameter defaults to “no.”

overwrite
Optional. Specifies whether this instance of the trace conversion command overwrites files that were rendered from previous trace conversions. If unspecified, the parameter defaults to “no.”

tmfpath
Optional. Specifies the path (folder location) of the tmf files that are used for decoding WPP traces.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

  • convert input=ExampleTestTrace.etl output=TestTrace dump=XML report=yes

Normalizes or filters a trace file to a new output file.

correlate input= tracefilename.etl output= newtracefilename.etl [[filter=]Activity_ID] [[overwrite=]{yes|no}] [[retaincorrelationevents=]{yes|no}] [[retainpii=]{yes|no}] [[retainglobalevents=]{yes|no}]

input
Required. Specifies the input trace file name.

output
Required. Specifies the file name of the output file.

filter
Optional. Specifies that trace output is rendered only for events that are related to the specific Activity GUID. If unspecified, the default entry for filter is null; the filter parameter is ignored.

overwrite
Optional. Overwrites existing files. If unspecified, the default entry for overwrite is no.

retaincorrelationevents
Optional. Retains correlation events. If unspecified, the default entry for retaincorrevents is no.

retainpii
Optional. Specifies that events containing personally identifiable information (pii) are kept. If unspecified, the default entry for retainpii is yes.

retainglobalevents
Optional. Specifies that global events are kept. If unspecified, the default entry for retainglobalevents is yes.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

Filter activity ID is a GUID expressed in the form {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.

Personally identifiable information includes packet capture events.

  • correlate input=exampleTraceFileName.etl output=NewTraceFileName.etl overwrite=yes retaincorrelationevents=no retainpii=yes retainglobalevents=yes

Starts a diagnostic session.

Diagnose scenario= ScenarioName namedAttribute= attributeValue [[saveSessionTrace=]{yes|no}] [[report=]yes|no] [[capture=]yes|no]

scenario
Required. Specifies the name of the scenario.

namedAttribute
Required. Specifies the attribute value.

TipTip
namedAttributes change depending on the scenario, and can be discovered by running the Netsh Trace show scenario command.

saveSessionTrace
Optional. If parameter saveSessionTrace is unspecified and parameter report is set to yes, then the default entry for saveSessionTrace is yes. If parameter saveSessionTrace is unspecified and parameter report is set to no or is unspecified, then the default entry for saveSessionTrace is no.

report
Optional. If unspecified, the default entry for report is no.

capture
Optional. If unspecified, the default entry for capture is no.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

Diagnose command behavior for parameters capture and report:

The following table summarizes the results that are rendered by the use of the various combinations of the capture and report parameters:

 

capture=

report=

Results:

not specified

not specified

The diagnostic results will display, but neither the ETL nor CAB files are created.

yes

no

The diagnostic results will display, and only ETL file is created. The ETL file is created with both traces and packets.

yes

yes

The diagnostic results will display, and both the ETL and CAB files are saved. The ETL file is saved with both traces and packets.

no

yes

The diagnostic results will display, and both ETL and CAB files are created. Only events are saved in the ETL file; no packets are saved.

no

no

The diagnostic results will display, ETL file is created with trace events only. The CAB file is not created.

 

 

 

  1. If parameters capture and report are not specified the diagnostic results will display, but neither the ETL nor CAB files are saved.

  2. If parameter capture=yes and parameter report=no the diagnostic results will display, and only ETL file is saved. The ETL file is saved with both traces and packets.

  3. If parameter capture=yes and parameter report=yes, then the diagnostic results will display, and both the ETL and CAB files are saved. The ETL file is saved with both traces and packets.

  4. If parameter capture=no and parameter report=yes, then the diagnostic results will display, and both ETL and CAB files are saved. Only events are saved in the ETL file; no packets are saved.

  5. If parameter capture=no and parameter report=no, the diagnostic results will display, ETL file is saved with trace events only. The CAB file is not saved.

TipTip
In all cases, if the ETL file is saved and capture=yes, ETL file will contain both packet captures and trace events

  • Diagnose scenario=internetclient namedAttribute=http://www.Microsoft.com saveSessionTrace=yes report=no

Displays the supported capture filters and filter usage.

show CaptureFilterHelp

There are no parameters associated with this command

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

  • show CaptureFilterHelp

Displays a list of global keywords and the levels that may be used with the start command.

show globalKeywordsAndLevels

There are no parameters associated with this command.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

Following is an example of the global levels and keywords that are displayed by running the command show globalKeywordsAndLevels.


netsh trace>show globalkeywordsandlevels

Levels (value) - 5 element(s)
-------------------------------------------------------------------
win:Critical (1)
win:Error (2)
win:Warning (3)
win:Informational (4)
win:Verbose (5)

Keywords (mask) - 15 element(s)
-------------------------------------------------------------------
ut:SendPath (0x100000000)
ut:ReceivePath (0x200000000)
ut:L3ConnectPath (0x400000000)
ut:L2ConnectPath (0x800000000)
ut:ClosePath (0x1000000000)
ut:Authentication (0x2000000000)
ut:Configuration (0x4000000000)
ut:Global (0x8000000000)
ut:Dropped (0x10000000000)
ut:PiiPresent (0x20000000000)
ut:Packet (0x40000000000)
ut:Address (0x80000000000)
ut:StdTemplateHint (0x100000000000)
ut:StateTransition (0x200000000000)
ut:Diagnostic (0x400000000000)

netsh trace>

You can specify the global levels and keywords in the start command as shown in the following example of the start command: start InternetClient provider=Microsoft-Windows-TCPIP level=5 keywords=ut:ReceivePath,ut:SendPath. This is explained in greater detail in the section: Example Netsh trace filter parameters and usage

  • show globalKeywordsAndLevels

Displays the helper class name, description and lists the dependent helper classes. Additionally, this command also lists possible root causes and repairs that can be returned by the helper class.

show helperclass name= helperClassName

name
Required. Specifies the name of the helperclass for which to display information.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

Helper class names are case sensitive. For example, you cannot substitute wininethelperclass, if WinInetHelperClass is the correct, case-sensitive name.

  • Show helperclass name=WinInetHelperClass

Displays a list of network interfaces.

show interfaces

There are no parameters associated with this command.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

  • show interfaces

For the provider specified, displays the keywords and levels that can be used with the start command.

show provider name= providerIdOrName

name
Required. Specifies the provider name or provider identification (Id) GUID.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

This displays the keywords and levels that the specified provider supports, which can be used when starting a tracing session.

  • show provider name=Microsoft-Windows-TCPIP

  • show provider name=B92CF7FD-DC10-4C6B-A72D-1613BF25E597

Displays a list of the providers that can be used with the start command.

show providers

There are no parameters associated with this command.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

  • Show providers

Displays information for the specified scenario.

show scenario name= scenarioName

name
Required. Specifies the name of the scenario for which to display information.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

This command displays information about a scenario, including:

  • Attributes that might be required by the diagnose command.

  • The list of providers that would be enabled for the specified scenario.

  • The default keywords and levels that would be applied for the specified scenario.

  • show scenario name=DirectAccess

Displays a list of the scenarios that can be used with the start command.

show scenarios

There are no parameters associated with this command.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

  • show scenarios

Displays the current tracing configuration.

show status

There are no parameters associated with this command.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

  • show status

Starts a network tracing session.

start [[scenario=]Scenario1,Scenario2] [[globalKeywords=]keywords] [[globalLevel=]level] [[capture=]{yes|no}] [[report=]{yes|no}] [[persistent=]{yes|no}] [[traceFile=]Path\Filename] [[maxSize=]MaxFileSizeInMB] [[fileMode=]{single|circular|append}] [[overwrite=]{yes|no}] [[correlation=]{yes|no|disabled}] [[provider=]ProviderIdOrName] [[keywords=]KeywordMaskOrSet] [[level=]level] [[provider=]Provider2IdOrName] [[keywords=]Keyword2MaskOrSet] [[level=]level2]

scenario
Optional. Specifies the scenarios that are applied to the trace session.

globalKeywords
Optional. Specifies the global keywords that are applied to the trace session.

globalLevel
Optional. Species at what level the traces should be collected across all the providers. For example, the command netsh trace start scenario=internetclient globallevel=win:error will capture only error events; the command netsh trace show globalkeywordsandlevel displays list of options.

capture
Optional. Specifies whether packet capture is enabled in addition to trace events. If unspecified, the default entry for capture is no.

report
Optional. Specifies whether a complementing report will be generated in addition to the trace file report. If unspecified, the default entry for report is no.

persistent
Optional. Specifies whether the tracing session resumes upon restarting the computer, and continues to function until the “Netsh trace stop” command is issued. If unspecified, the default entry for persistent is no.

traceFile
Optional. Specifies the location to save the output file. If unspecified, the output file is saved using the default path and filename: “traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl”

maxSize
Optional. If the maxSize parameter is unspecified, the default value of 250 MB is used. MB 0=no maximum. To specify the maxSize=0 for the no tracing file max size option, you must also specify filemode=single. By default, filemode=circular.

fileMode
Optional. Specifies which file mode is applied when tracing output is generated: single|circular|append. If unspecified, the default entry “fileMode=circular” is used.

overwrite
Optional. Specifies whether an existing trace output file – in either the specified or default location - will be overwritten. If parameter traceFile is not specified, then the default location and filename is applied, and any pre-existing version of the trace file is automatically overwritten. See parameter traceFile for default path and filename details.

correlation
Optional. Specifies whether related events will be correlated and grouped together. If unspecified, the default entry “correlation=yes” is applied.

provider
Optional. Specifies additional providers to enable for tracing.

keywords
Optional. Specifies the keywords to enable for the corresponding provider.

level
Optional. Specifies the level to enable for the corresponding provider.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

Capture filters are only supported when capture is explicitly enabled with capture=yes. You can use the show CaptureFilterHelp command to display the list of supported capture filters and their usage.

Follow is a list and brief explanation of the ETW levels that you can specify by using the level parameter.

  1. Critical. Captures only critical events.

  2. Errors. Captures only critical events and error events.

  3. Warnings. Captures only critical events, error events, and warning events.

  4. Informational. Captures only critical events, error events, warning events, and informational events.

  5. Verbose Captures all events.

You can view a complete list of keywords for a specific provider by typing show provider, followed by the provider name. For example, you can type show provider Microsoft-Windows-TCPIP to display information about the Microsoft-Windows-TCPIP provider, including the list of supported keywords.

  • start scenario=InternetClient capture=yes

    • Starts tracing for the InternetClient scenario and dependent providers with packet capture enabled.

    • Tracing will stop when the "Netsh trace stop" command is issued or when the system reboots.

    • Default location and name will be used for the output file. If an old file exists, it will be overwritten.

  • start provider=Microsoft-windows-wlan-autoconfig keywords=state,ut:authentication

    • Starts tracing for the Microsoft-windows-wlan-autoconfig provider.

    • Tracing will stop when the "Netsh trace stop" command is issued or when the system reboots.

    • Default location and name will be used for the output file.

    • If an old file exists, it will be overwritten.

    • Trace will only log events with the keywords 'state' or 'ut:authentication.'

    You can use the Netsh trace show provider command to display the supported keywords and levels.

The Netsh trace context also supports packet filtering capability that is similar to Network Monitor. You can turn on packet capturing by specifying capture=yes in the Netsh trace start command. You can use packet filtering to capture specific packets in a trace file. For example, you can type start capture=yes ipv4.address=x.x.x.x, (where x.x.x.x is the IP address), to only capture only those packets containing ipv4 traffic using that specific source or destination address.

To obtain additional information about how to use packet filtering, you can type show capturefilterHelp.

Stops a network tracing session that is currently in progress.

stop

There are no parameters associated with this command.

This Netsh command is new in Windows Server 2008 R2 and cannot be run on computers running Windows Server 2008.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft