Export (0) Print
Expand All

Capturing Data Remotely

Message Analyzer enables you to capture traffic on remote machines by running the Remote Link Layer Trace Scenario. This scenario uses the Microsoft-Windows-NDIS-PacketCapture provider for remote tracing. However, you can capture remote traffic with the Remote Link Layer scenario only from computers that are running the Windows 8.1 or Windows Server 2012 R2 operating system. In addition, the source machine from where you start the Remote Link Layer scenario must be running the Windows 7, Windows 8, or Windows 8.1, Windows Server 2012, or Windows Server 2012 R2 operating system, although in the case of Windows 7 you must install the WMI v3.0 package to provide the remoting capabilities. Other requirements also apply, as follows:

  • WinRM configuration — this service requires configuration on the source computer where you are running the Message Analyzer remote trace. You can configure the WinRM service by running the following command string from an elevated command prompt (Run as Administrator):

    winrm quickconfig

  • Trusted Hosts configuration — when the source computer and remote host are not in the same domain, you must add the remote host name to the source computer Trusted Hosts list by running the following command string from an elevated command prompt:

    winrm set winrm/config/client @{TrustedHosts="RemoteHostName"}

    Important  If you intend to capture data from multiple remote hosts, you should use the previous command to specify them in comma-separated format surrounded in quotes, as follows:

    winrm set winrm/config/client @{TrustedHosts="RemoteHost1Name, RemoteHost2Name,.."}, and so on.

Connecting with Remote Hosts
If your systems match the indicated requirements, you can start remote configuration for your Live Trace Session by first specifying the name of one or more remote Windows 8.1 or Windows Server 2012 R2 hosts on which to capture message traffic, along with Administrator credentials, to connect with those computers. You can specify the connection information from the Edit Target Computers dialog, which is accessible by clicking the Edit button on the Live Trace tab of the New Session dialog. If you do not specify any remote computers on which to capture traffic, then your Live Trace Session defaults to capturing messages on the local computer, as indicated by the default Localhost setting in the Target Computers list on the Live Trace tab.

Moreover, Message Analyzer enables you to capture traffic with the following target configurations:

  • Localhost — the default setting to capture message traffic on the local computer.

  • One or more remote computers — remove the Localhost setting and add target remote computers on which to capture message traffic concurrently to the Target Computers list.

  • Local and remote computers — retain the Localhost setting and add remote computers on which to capture message traffic concurrently to the Target Computers list.

Note  When you capture messages from multiple computers, the results are aggregated in the data viewer that you specified in the Start With drop-down menu of the New Session dialog.

Specifying Remote Host Connection Data  To provide remote host connection information, click the Add drop-down and then select New Row from the menu. A new row is then added to the Edit Target Computers dialog for specifying the host name or IP address in the Computer Name/IP Address text box, along with required connection credentials in the User Name and Password text boxes. If you are connecting to multiple remote hosts and the connection credentials are identical, you should select the Automatically copy credentials check box to avoid repeating duplicate credential entries for each host. If you want to use your current logon credentials to connect with specified hosts, leave the User Name and Password text boxes blank. When you are done adding host connection information, click OK to exit the Edit Target Computers dialog.

If you want to edit the connection information for any of the hosts that display in the Target Computers list, simply click Edit on the Live Trace tab of the New Session dialog and modify the information as required. Note that Message Analyzer retains all the connection information that you specify from session to session, until you remove it with the Delete control in the Edit Target Computers dialog. In addition, all the host names and user names that you entered in the Edit Target Computers dialog are retained in the Add drop-down list for future selection as required.

Specifying Advanced Settings for Remote Hosts
After you have specified connection credentials for remote computers on which to capture message traffic, and you have selected the Remote Link Layer Trace Scenario, you have the option to specify special filtering configurations in the Advanced Settings – Microsoft-Windows-NDIS-PacketCapture dialog. To access this dialog, click the Configure link to the right of the Microsoft-Windows-NDIS-PacketCapture provider Id in the ETW Providers list on the Live Trace tab of the New Session dialog. When the dialog opens, select the Provider tab and then click the Host drop-down to display the list of target computers that your Live Trace Session will connect with. To specify different filtering configurations for different hosts, you must select each host separately in the Host drop-down and then specify the filters you want to use, as described in Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.

When you select an item in the Host drop-down, Message Analyzer attempts to connect with the specified Windows 8.1, Windows Server 2012 R2, or later host. If successful, Message Analyzer displays a progress bar while enumerating the network adapters on the selected remote host, which can include both host adapters and virtual machine (VM) adapters that are serviced by a Hyper-V-Switch. Message Analyzer returns the results of the enumeration to the Interface Selection grid of the Advanced Settings dialog and populates it with adapter Name and MAC Address information. Thereafter, when you open the Advanced Settings dialog in the current session, the tree grid section of the dialog is automatically populated with this information. You can then apply the filtering configurations that you specify to the enumerated adapters that you select in the Advanced Settings dialog.

If you want to specify unique filtering configurations for each remote host, you will need to repeat the previously indicated process for each host in the Host list on the Provider tab of the Advanced Settings dialog. However, to simplify the process, you have the option to apply a common filtering configuration to all hosts by clicking the Apply Changes to All Hosts button on the Provider tab. Before you do this, you should carefully consider the applicability of the filtering configuration that you apply to all adapters on the remote hosts. For example, certain filters have a different effect on the interception layer and packet traversal path through the NDIS stack for host adapters, versus the extension layers of a Hyper-V-Switch adapter that services one or more virtual machines (VMs). For more details on the effects of Layer filtering and packet traversal Direction filters, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.

Filtering and Adapter Configurations
Message Analyzer enables you to specify the remote adapters on which to capture traffic by selecting specific adapters in the tree grid section of the Advanced Settings dialog. In addition, you can specify various filters such as All Layers, Direction, Truncation, EtherType, IP Protocol Numbers, IP Addresses, and MAC Addresses.

Some filters can have a different effect, depending on where you apply them. For example, selecting the All Layers and Direction check boxes together enables you to define the layer of the NDIS stack on which packets are intercepted and the traversal path (direction) in which they are intercepted. This can help you determine whether an adapter is dropping packets at a particular NDIS layer. When applied to a switch adapter, you can also define the interception layer and path of packets as they traverse the Hyper-V-Switch Extension layers. However, note that these filters have a slightly different effect, depending on whether you apply them to the NDIS layers of a host adapter versus the Extension layers of a switch adapter. The differences are explained in Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.

By choosing adapters and setting filters in the Advanced Settings dialog, you can be very specific about where you capture remote traffic and how much data you capture. For example, in addition to the previously indicated filters, you could also capture only the packet headers for a particular protocol of interest, by setting a truncation value that matches the header length of that protocol. You can access the configuration of all of the special filters for the Microsoft-Windows-NDIS-PacketCapture provider in the Filters pane of the Advanced Settings dialog, the details of which are further described in Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.

Note  The Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog configuration settings are tied to the Microsoft-Windows-NDIS-PacketCapture provider. As a result, you can use this dialog to specify configuration settings for any Trace Scenario that employs the Microsoft-Windows-NDIS-PacketCapture provider. You simply access the dialog in the previously indicated manner for this provider. However, the remote capabilities of the Microsoft-Windows-NDIS-PacketCapture provider are not available in all Trace Scenarios that use the provider, because they are present only in the Remote Link Layer and Remote Link Layer with Drop Event Information Trace Scenarios.

Starting a Remote Trace
After Message Analyzer has connected to one or more remote hosts and you have specified adapter and filtering configurations in the Advanced Settings dialog, you can close the dialog and start your remote Live Trace Session the same way you start any trace — by clicking the Start button in the New Session dialog. At this time, Message Analyzer starts multiple concurrent subsessions, where each subsession captures message traffic on a different host that is specified in the Target Computers list on the Live Trace tab of the New Session dialog. The captured data then begins to aggregate from all the subsessions into the Analysis Grid viewer, or whichever viewer you specified from the Start With drop-down in the New Session dialog.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft