Export (0) Print
Expand All

Capturing Data Remotely

Message Analyzer enables you to capture traffic on remote machines by running the Remote Link Layer Trace Scenario. This scenario uses the Microsoft-Windows-NDIS-PacketCapture provider for remote tracing. However, you can capture remote traffic with the Remote Link Layer scenario only from computers that are running the Windows 8.1 or Windows Server 2012 R2 operating system. In addition, the source machine from where you start the Remote Link Layer scenario must be running the Windows 7, Windows 8, or Windows 8.1, Windows Server 2012, or Windows Server 2012 R2 operating system, although in the case of Windows 7 you must install the WMI v3.0 package to provide the remoting capabilities. Other requirements also apply, as follows:

  • WinRM configuration — this service requires configuration on the source computer where you are running the Message Analyzer remote trace. You can configure the WinRM service by running the following command string from an elevated command prompt (Run as Administrator):

    winrm quickconfig

  • Trusted Hosts configuration — when the source computer and remote host are not in the same domain, you must add the remote host name to the source computer Trusted Hosts list by running the following command string from an elevated command prompt:

    winrm set winrm /config /client @{TrustedHosts="RemoteHostName"}

Connecting with a Remote Host
If your systems match the indicated requirements, you can start remote trace configuration by first specifying the name of the remote Windows 8.1 or Windows Server 2012 R2 host on which to capture message traffic, along with Administrator credentials, to connect with that computer. You can specify the connection information from the Host drop-down, which appears at the top of the Trace Scenario Configuration pane of the Trace Session configuration interface. To provide the remote host connection information, click the Host drop-down and then select the Connect to Remote Host… menu item. Thereafter, the Input Host Name dialog displays with input text boxes for entering the host name and logon credentials.

Note  The Host drop-down also provides a Localhost option for running the Remote Link Layer scenario on the local machine where Message Analyzer is running. You might do this to capture data on the local machine, while taking advantage of the special filtering configurations available in the Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog.

Capturing Traffic on Remote Adapters
You can use the Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog to specify a particular remote host adapter on which to capture data, along with several types of filters and other configuration settings for your remote trace. When you make a connection with the remote Windows 8.1 or Windows Server 2012 R2 host, Message Analyzer enumerates all the adapters on that machine. This includes adapters for virtual machines (VMs) that are serviced by a Hyper-V-Switch and other adapters. Thereafter, when you open the Advanced Settings dialog, the tree grid section of the dialog is automatically populated with this information.

Message Analyzer enables you to specify the remote adapters on which to capture traffic by selecting specific adapters in the tree grid section of the Advanced Settings dialog. In addition, you can specify various filters such as EtherType, IP Protocol Numbers, IP Addresses, and MAC Addresses, and you can configure special filters to intercept packets on all NDIS layers, for example, to help determine whether an adapter is dropping packets at a particular NDIS filter layer. You might also select a particular remote VM to capture traffic from and then specify the path of packets as they traverse the Hyper-V-Switch Extension layers.

By choosing adapters and setting filters in the Advanced Settings dialog, you can be very specific about where you capture remote traffic and how much data you capture. For example, in addition to the previously indicated filters, you could also capture only the packet headers for a particular protocol of interest, by setting a truncation value that matches the header length of that protocol. You can configure such filters and settings in the Filters pane of the Advanced Settings dialog, the details of which are further described in Using the Windows NDIS Provider Advanced Settings Dialog.

Accessing the Remote Adapter and Filtering Configuration
To specify adapters, filters, and other settings for a remote trace, you must open the Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog. You can do this by clicking the Configure link next to the Microsoft-Windows-NDIS-PacketCapture provider Id in the provider list of the Trace Scenario Configuration pane, after selecting a Remote Link Layer scenario in the Trace Scenarios Library that uses the Microsoft-Windows-NDIS-PacketCapture provider. For further details on how to specify settings in this dialog, see Using the Windows NDIS Provider Advanced Settings Dialog.

Note  Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog configuration settings are tied to the Microsoft-Windows-NDIS-PacketCapture provider. As a result, you can use this dialog to specify configuration settings for any Trace Scenario that employs the Microsoft-Windows-NDIS-PacketCapture provider. You simply access the dialog in the previously indicated manner for this provider. However, the remote capabilities of the Microsoft-Windows-NDIS-PacketCapture provider are not available in all Trace Scenarios that use the provider.

Starting a Remote Trace
After you are connected to the remote host and you have specified an adapter and filtering configuration in the Advanced Settings dialog, you can close the dialog and start your remote trace the same way you start any trace — by clicking the Start With button in the Trace Session configuration interface. Remote message traffic then begins to accumulate in the Analysis Grid viewer, or the viewer in which you started the trace.

Important  You can run multiple instances of Message Analyzer on the same machine to capture data remotely on multiple corresponding servers, however, any one particular server can only provide remote data back to a single instance of Message Analyzer.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft