Export (0) Print
Expand All

Default Trace Scenarios

All Message Analyzer installations include a default set of Trace Scenarios that together provide you with a large range of tracing functionality, applicability, and usefulness. These scenarios can help you get started very quickly with capturing and processing live data. Moreover, you can click one of the default Trace Scenarios in the Quick Trace area on the Start Page to immediately launch a Trace Session and start capturing live data. These Trace Scenarios are also maintained as an item collection in the Message Analyzer Sharing Infrastructure, where you can synchronize with collection updates that are pushed out by a web service and download them as required from the Start Page. The default Trace Scenarios utilize different combinations of providers to achieve specific and common tracing capabilities and results. These combinations can consist of any of the following types of ETW-instrumented message providers:

  • A single Microsoft-PEF provider.

  • A Microsoft-PEF provider and a combination of one or more Windows system ETW providers.

  • One or more Windows system ETW providers.

  • Other providers for various Windows components.

The default Trace Scenarios and the providers they utilize for capturing data are described in this section. Note that some Trace Scenarios in the Network category are supported only on the Windows 8.1 and Windows Server 2012 R2 operating systems. These Trace Scenarios use the Microsoft-Windows-NDIS-PacketCapture provider, which has remote tracing capabilities in Remote Link Layer scenarios only, and otherwise has local tracing capabilities. Other Trace Scenarios in the Network category are supported only on the Windows 8 and earlier operating systems. These Trace Scenarios use the Microsoft-PEF-NDIS-PacketCapture provider, which supports local tracing only. In addition, there are differences in the way you can configure these providers prior to running a trace, as follows:

  • Remote trace scenarios with Windows-NDIS — in remote scenarios that use the Microsoft-Windows-NDIS-PacketCapture provider, you can specify the remote host adapters and/or virtual machine (VM) adapters from which to capture messages, the manner in which packets traverse the NDIS filter layers or Hyper-V-Switch extension layers on such remote adapters, respectively, and various unique filters such as Truncation, EtherTypes, and IP Protocol Numbers. You can configure these settings from the Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog, as described in Using the Windows NDIS Provider Advanced Settings Dialog.

  • Local trace scenarios with Windows-NDIS — in local scenarios that use the Microsoft-Windows-NDIS-PacketCapture provider, you can specify local host adapters from which to capture messages, the manner in which packets traverse the NDIS filter layers, and the same filters as previously indicated. You can also configure these settings from the same Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog.

  • Local trace scenarios with PEF-NDIS — in local scenarios that use the Microsoft-PEF-NDIS-PacketCapture provider, you can specify local adapters from which to capture messages, the direction in which to capture them, and you can create up to two logically-chained Fast Filter Groups that you can assign to any selected adapter. You can configure these settings from the Microsoft-PEF-NDIS-PacketCapture Advanced Settings dialog only, as described in Using the PEF-NDIS Provider Advanced Settings Dialog.

The providers that are included in each Trace Scenario display in the provider list of the Message Analyzer Trace Scenario Configuration pane, along with their Ids (GUIDs), whenever you select a scenario in the Trace Scenarios Library of the Trace Session configuration interface. A short description of each Trace Scenario in the Library is included below the scenario name, and when there are environment differences, the operating system that supports the scenario is specified. The default Trace Scenarios that are included with every Message Analyzer installation are described in the table that follows, along with a functional description and possible usage for each scenario.

Table 2. Message Analyzer default Trace Scenarios

Trace Scenario Provider Names Functional Description Usage Configurations


Network Category

Local Link Layer (Windows 8/Windows Server 2012 or earlier)
Local capture on Link Layer (NDIS)

Microsoft-PEF-NDIS-PacketCapture

Provides the capability to capture local traffic on the indicated operating systems at the Link Layer (wire level), which is the lowest available chokepoint in the network stack. Also enables you to configure Fast Filters that do the following:

  • Target specific packet data.

  • Reduce CPU processing by passing less data.

  • Prevent higher disk I/O overhead.

  • Improve speed by avoiding filtering at the parsing engine level.

Note that packets captured at the Link Layer can be encrypted by a protocol such as Ipsec, which obfuscates cleartext transmissions. Also, data obtained from the PEF-NDIS provider can be noisy, especially on a wireless connection, because it captures broadcast and other traffic below the Network layer.

You might use the Local Link Layer scenario containing the PEF network driver interface specification (PEF-NDIS) provider if you want to:

  • Capture raw data on the wire, such as Ethernet frames.

  • Specify the configuration of adapters from which to capture data.

  • Specify light-weight Fast Filters that enable you to locate messages containing specified offset length patterns (OLP) or messages intended for specified target addresses. You can logically chain up to 3 Fast Filters within two separate filter Groups which you can then apply to selected adapters.

    Note  To learn how to configure such settings, see Using the PEF-NDIS Provider Advanced Settings Dialog.

Local Link Layer (Windows 8.1/Windows Server 2012 R2)
Local capture on Link Layer (NDIS)

Microsoft-Windows-NDIS-PacketCapture

Provides the capability to capture local traffic at the Link Layer on Windows 8.1 and Windows Server 2012 R2 computers. Also enables you to capture local VM traffic on Windows Server 2008 R2 and Windows Server 2012 computers.

Configuration features include special Filters that do the following:

  • Truncate packets to reduce bandwidth consumption.

  • Establish how packets traverse the NDIS filter stack.

  • Isolate Ethernet frames that contain IP packets such as IPv4 and IPv6.

  • Filter for and return only IP packets that have certain payloads, for example, TCP, UDP, or ICMP.

  • Filter traffic based on one or more specified MAC or IP addresses.

You might use the Local Link Layer scenario on a local computer running Windows 8.1 or Windows Server 2012 R2 to do the following:

  • Capture raw data on the wire, such as Ethernet frames.

  • View packet headers only for a particular protocol, through truncation.

  • Monitor NDIS filter layers to determine whether packets are being dropped.

  • Specify the direction in which packets traverse the NDIS filter stack, to isolate inbound or outbound traffic.

  • Filter for packets that are intended for a particular address or that contain specific payload types.

Note  To learn how to configure such settings, see Using the Windows NDIS Provider Advanced Settings Dialog and the portions of this topic that apply to NDIS configuration for local tracing.

Remote Link Layer (to Windows 8.1/Windows Server 2012 R2)
Remote capture on Link Layer (supports target machines with Windows 8.1 and Windows Server 2012 R2 only)

Microsoft-Windows-NDIS-PacketCapture

Provides the capability to capture traffic on a remote Windows 8.1 or Windows Server 2012 R2 computer (or on the local host) at the Link Layer. Enables you to do the following:

  • Target specific remote hosts on which to capture traffic.

  • Specify the host adapters and/or VM adapters on which to capture data.

  • Create special packet and address filtering configurations.

You might use the Remote Link Layer scenario containing the Microsoft-Windows-NDIS-PacketCapture provider if you want to:

  • Capture raw Ethernet frames remotely.

  • Isolate traffic on a particular remote Windows 8.1 or Windows Server 2012 R2 host that you specify.

  • Isolate traffic on a specified host adapter or VM adapter on a remote Windows 8.1 or Windows Server 2012 R2 computer.

  • Specify packet traversal paths and filters for NDIS and Hyper-V-Switch stack layers, for example, when remotely troubleshooting dropped packets.

  • Perform special filtering that isolates message headers, messages that contain a particular type of payload, or messages intended for a particular physical or network address.

    Note  To learn how to configure such settings, see Using the Windows NDIS Provider Advanced Settings Dialog.

Remote Link Layer with Drop Event Information (to Windows 8.1/Windows Server 2012 R2)
Remote capture on Link Layer, including drop event information (supports target machines with Windows 8.1 or Windows Server 2012 R2 only)

Microsoft-Windows-NDIS-PacketCapture
Microsoft-Windows-WFP
Microsoft-Windows-NdislmPlatformEventProvider
Microsoft-Windows-TCPIP
Microsoft-Windows-Hyper-V-VmSwitch
Microsoft-Windows-Qos-Pacer
Microsoft-Windows-MsLbfoEventProvider
Microsoft-Windows-Winsock-AFD

Enables you to take advantage of the remote tracing capabilities of the Microsoft-Windows-NDIS-PacketCapture provider to capture traffic on a remote Windows 8.1 or Windows Server 2012 R2 computer, in addition to also capturing dropped packet event information.

You might use the Remote Link Layer with Drop Event Information (to Windows 8.1/Windows Server 2012 R2 scenario if you want to:

  • Utilize the remote capabilities of the Microsoft-Windows-NDIS-PacketCapture provider, as previously described.

  • Log dropped packet events, the firewall rules that may have caused them to be dropped, and other drop event information.

Firewall
Windows Filtering Platform Tracing. Can capture loopback and IPSEC unencrypted traffic.

Microsoft-PEF-WFP-MessageProvider

The WFP capture system does the following:

  • Captures loopback traffic and unencrypted IPSec traffic.

  • Supports data capture at various points in the Windows kernel TCP/IP stack, such as the Network and Transport layers.

  • Logs structured packet data as ETW events for application protocol analysis and traffic monitoring.

  • Provides raw binary data.

  • Enables you to configure Fast Filters that focus the retrieval action of the PEF-WFP provider.

  • Enables you to log discarded packet events.

    Note  If you set the Discarded Packet Events property under PEF WFP Settings to True, any Fast Filter or WFP Layer Set filter that you have also specified will not apply to packet events that are discarded.

You might use the Firewall scenario with the WFP provider if you want to:

  • Isolate traffic at the Transport and Network stack layers and avoid broadcast and other lower-layer noise.

  • Isolate inbound or outbound TCP/IP traffic for IPv4 and IPv6.

  • Specify light-weight port and address Fast Filters that enable you to select specific messages to capture.

  • Capture (loopback) traffic for application communications, for example between a SQL Server and a Web Server on the same local computer.

  • Troubleshoot discarded packet and IP security issues.

Web Proxy
Web Tracing with web proxy server. Can capture HTTPS client-side traffic.

Microsoft-PEF-WebProxy

Provides the ability to capture application layer/HTTP browser traffic. The Web ProxyTrace Scenario does not capture data from lower layers, such as the Transport layer or below. As a result, you may not capture all HTTP traffic of interest unless you do a Firewall or Link Layer trace.

Note that the PEF-WebProxy provider will not capture traffic to and from a web browser unless you configure Internet options to use a proxy server for the LAN.

You can use the Web Proxy scenario to do the following:

  • Capture all HTTP traffic to and from a Web browser in unencrypted format.

  • Troubleshoot Web server and client performance issues.

  • Filter HTTP traffic based on a hostname URL or a particular port number, such as 80 or 443.

  • View various sets of HTTP statistics, such as the number of requests and responses, reason phrases, status codes, IDs, host URIs, ports, query strings, server response times, and so on.

  • View header fields to verify whether client caching is functioning.

LAN (Windows 8/Windows Server 2012 or earlier
Troubleshoot wired LAN issues

Microsoft-PEF-NDIS-PacketCapture
Microsoft-Windows-L2NACP
Microsoft-Windows-Wired-Autoconfig
Microsoft-Windows-EapHost
Microsoft-Windows-OneX
Microsoft-Windows-NDIS

Note  Before running this scenario, uncheck the Microsoft-Windows-NDIS provider in the Trace Scenario Configuration provider list, since the Microsoft-PEF-NDIS-PacketCapture provider duplicates its functions.

Includes the Microsoft-PEF-NDIS-PacketCapture provider and other system ETW providers that write events related to the local/physical network connection.

Use the LAN (Windows 8/Windows Server 2012 or earlier) scenario if you want to do the following:

  • Troubleshoot connection issues related to network adapter configuration and VPNs.

  • Utilize the configuration capabilities and settings that are described earlier in the Local Link Layer (Windows 8/Windows Server 2012 or earlier) scenario.

    Note  To learn how to configure such settings, see Using the PEF-NDIS Provider Advanced Settings Dialog.

LAN (Windows 8.1/Windows Server 2012 R2)

Microsoft-Windows-NDIS-PacketCapture
Microsoft-Windows-L2NACP
Microsoft-Windows-Wired-Autoconfig
Microsoft-Windows-EapHost
Microsoft-Windows-OneX
Microsoft-Windows-NDIS

Includes the Microsoft-Windows-NDIS-PacketCapture provider and other system ETW providers that write events related to the local/physical network connection on Windows 8.1 or Windows Server 2012 R2 computers.

Use the LAN (Windows 8.1/Windows Server 2012 R2) scenario if you want to do the following:

  • Troubleshoot connection issues related to network adapter configuration and VPNs on a Windows 8.1 or Windows Server 2012 R2 computer.

  • Utilize the configuration capabilities and settings that are described in the Local Link Layer (Windows 8.1/Windows Server 2012 R2) scenario.

    Note  To learn how to configure such settings, see Using the Windows NDIS Provider Advanced Settings Dialog and the portions of this topic that apply to NDIS configuration and local tracing.

WLAN (Windows 8/Windows Server 2012 or earlier)
Troubleshoot wireless LAN related issues

Microsoft-PEF-NDIS-PacketCapture
Microsoft-Windows-L2NACP
Microsoft-Windows-EapHost
Microsoft-Windows-OneX
Microsoft-Windows-NDIS
Microsoft-Windows-WLAN-Autoconfig
Microsoft-Windows-NWifi
Microsoft-Windows-VWifi

Note  Before running this scenario, deselect the Microsoft-Windows-NDIS provider in the Trace Scenario Configuration provider list, since the Microsoft-PEF-NDIS-PacketCapture provider duplicates its functions.

Includes the Microsoft-PEF-NDIS-PacketCapture provider and other system ETW providers that write events related to the wireless local area network connection.

Use the WLAN (Windows 8/Windows Server 2012 or earlier) scenario if you want to do the following:

  • Troubleshoot connection issues related to wireless network adapter configuration.

  • Utilize the configuration capabilities and settings that are described earlier in the Local Link Layer (Windows 8/Windows Server 2012 or earlier) scenario.

    Note  To learn how to configure such settings, see Using the PEF-NDIS Provider Advanced Settings Dialog.

WLAN (Windows 8.1/Windows Server 2012 R2)

Microsoft-Windows-NDIS-PacketCapture
Microsoft-Windows-L2NACP
Microsoft-Windows-EapHost
Microsoft-Windows-OneX
Microsoft-Windows-NDIS
Microsoft-Windows-WLAN-Autoconfig
Microsoft-Windows-NWifi
Microsoft-Windows-VWifi

Includes the Microsoft-Windows-NDIS-PacketCapture provider and other system ETW providers that write events related to the wireless local area network connection on Windows 8.1 or Windows Server 2012 R2 computers.

Use the WLAN (Windows 8.1/Windows Server 2012 R2 scenario if you want to do the following:

  • Troubleshoot connection issues related to wireless network adapter configuration.

  • Utilize the configuration capabilities and settings that are described earlier in the Local Link Layer (Windows 8.1/Windows Server 2012 R2) scenario.

    Note  To learn how to configure such settings, see Using the Windows NDIS Provider Advanced Settings Dialog and the portions of this topic that apply to NDIS configuration and local tracing.

VPN (Windows 8.1/Windows Server 2012 R2)
Troubleshoot VPN-related issues

Microsoft-Windows-NDIS-PacketCapture
Microsoft-Windows-Ras-NdisWanPacketCapture
Microsoft-Windows-NDIS
Microsoft-Windows-IPSEC-SRV
Microsoft-Windows-WFP
Microsoft-Windows-TCPIP

Contains the Windows-NDIS-PacketCapture provider and other Windows system ETW providers that capture all Virtual Private Network (VPN) traffic on Windows 8.1 or Windows Server 2012 R2 computers.

Use the VPN (Windows 8.1/Windows Server 2012 R2) scenario if you want to do the following:

  • Troubleshoot VPN issues by capturing Ethernet frames.

  • Utilize the configuration capabilities and settings that are described earlier in the Local Link Layer (Windows 8.1/Windows Server 2012 R2) scenario.

    Note  To learn how to configure such settings, see Using the Windows NDIS Provider Advanced Settings Dialog and the portions of this topic that apply to NDIS configuration and local tracing.


Device Category

USB2 (Windows 7/Windows Server 2008 R2, or later)
USB Tracing

Microsoft-Windows-USB-USBPORT
Microsoft-Windows-USB-USBHUB

Consists of two Windows providers that capture events related to USB2 devices.

Helps you to troubleshoot any device that is plugged into a USB2 port.

USB3 (Windows 8/Windows Server 2012 or later)
USB tracing for USB 3 host controllers (USB 2 or USB 3 devices)

Microsoft-Windows-USB-USBXHCI
Microsoft-Windows-USB-UCX
Microsoft-Windows-USB-USBHUB3

Contains three Windows providers that capture events related to USB3 devices.

Helps you to troubleshoot any device that is plugged into a USB3 port.

Windows 8 Bluetooth (Windows 8/Windows Server 2012 or later)
Troubleshoot Bluetooth issues

Microsoft-Windows-BTH-BTHUSB
Microsoft-Windows-Bluetooth-BthLEEnum
Microsoft-Windows-BTH-BTHPORT
Microsoft-Windows-Bluetooth-HidBthLE
Microsoft-Windows-Bluetooth-Bthmini

Contains five Windows providers that capture events related to Bluetooth devices.

Helps you to troubleshoot a Bluetooth connection, pairing, and other issues, such as data display.


System Category

RPC
Troubleshoot issues related to RPC framework

Microsoft-Windows-RPC

Contains a single Windows provider that captures events from the remote procedure call (RPC) framework, including errors and other information (see the Keyword configuration for this provider).

You might use this Trace Scenario to troubleshoot distributed programs that use RPC.


Windows 8 File Sharing Category

SMB Client Full PDU (Windows 8/Windows Server 2012 or later)
SMB Client provider with full PDUs

Microsoft-Windows-SMBClient

Contains a single Windows provider that is extended for SMB client events.

Supports tracing with SMB filtering that enables you to see encrypted data from the SMB client. Provides better performance by filtering out data at the lower levels, such that only SMB packets are passed by the provider.

Tip  The ETW Provider Core Configurations for all SMB providers in the Windows 8 File Sharing category are keyword enabled for additional filtering capability.

SMB Client Header Only (Windows 8/Windows Server 2012 or later)
SMB Client provider Header Only

Microsoft-Windows-SMBClient

Contains a single Windows provider that is extended for SMB client events.

Supports tracing with SMB filtering that enables you to retrieve only the headers from packets sent by the SMB client. By capturing only the SMB headers, that is, without the data payload, this provider delivers significant performance improvements.

SMB Server Full PDU (Windows 8/Windows Server 2012 or later)
SMB Server provider with full PDUs

Microsoft-Windows-SmbServer

Contains a single Windows provider that is extended for SMB server events.

Supports tracing with SMB filtering that enables you to see encrypted data from the SMB server. Provides better performance by filtering out data at the lower levels, such that only SMB packets are passed by the provider.

SMB Server Header Only (Windows 8/Windows Server 2012 or later)
SMB Server with Headers Only

Microsoft-Windows-SmbServer

Contains a single Windows provider that is extended for SMB server events.

Supports tracing with SMB filtering that enables you to retrieve only the headers from packets sent by the SMB server. By capturing only the SMB headers, that is, without the data payload, this provider delivers significant performance improvements.

SMB2 Client And Firewall (Windows 8/Windows Server 2012 or later)
SMB client and packets from the transport layer

Microsoft-Windows-SMBClient
Microsoft-PEF-WFP-MessageProvider

Provides full SMB information in addition to data from the Transport layer with the PEF-WFP provider.

Supports SMB client and firewall-level tracing.


More Information
To learn more about PEF provider capabilities, see PEF Providers.
To learn more about configuring provider settings, see Creating and Modifying Trace Sessions.
To learn more about provider manifests, see Obtaining Provider Manifests.
To learn more about managing the Trace Scenarios item collection, see Managing Trace Scenarios.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft