Modifying Provider Settings
To enhance the capture configuration of a Live Trace Session, you can modify the following aspects of ETW-instrumented providers:
Driver-level filtering — as described in Common Provider Configuration Settings Summary, you can configure various low-level Fast Filters for PEF providers to introduce a selectivity factor to your Live Trace Sessions to improve performance, for example, with the Microsoft-PEF-NDIS-PacketCapture provider. You can also configure special stack filters and packet traversal paths at the driver level for Trace Scenarios that use the Microsoft-Windows-NDIS-PacketCapture provider. Filtering at the driver-provider level improves speed, which can rapidly become a critical issue if large numbers of messages do not pass the filtering criteria.
Event filtering — as described in System ETW Provider Configuration Settings, you can specify Keyword and Level filter settings for numerous system ETW Providers to enable selective event logging via ETW, which subsequently focuses the events that Message Analyzer captures.
The indicated provider setting types are accessible from the Provider and ETW Core tabs of the Advanced Settings dialog that is accessible by clicking the Configure link for message providers that display in the ETW Providers list on the Live Trace tab of the New Session dialog. The available settings enable you to do the following:
Configure Groups of logically chained Fast Filters and assign them to selected adapters by specifying settings in the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog for a Local Network Interfaces trace.
Configure Fast Filters in the Advanced Settings – Microsoft-PEF-WFP-MessageProvider dialog for a Loopback and Unencrypted IPSEC trace. You can also specify WFP Layer Set filters in this dialog to set the direction in which Transport layer traffic is captured.
Set the Keyword and/or Level configuration of system ETW providers by specifying settings on the ETW Core tab of the Advanced Settings dialog for any provider that displays in the ETW Providers list of the New Session dialog.
Specify the layers on which packets are intercepted in the NDIS filter stack or Hyper-V-Switch extension stack, in Trace Scenarios that use the Microsoft-Windows-NDIS-PacketCapture provider. You can also configure special filters such as Truncation, packet traversal Direction, EtherTypes, IP Protocol Numbers, Mac Addresses, and IP Addresses for this provider.
Note For system ETW Providers (Windows components that have been instrumented as ETW event providers), you can only modify the Keyword and Level filtering configurations; however, not all system ETW Providers make keyword settings available for filtering. System ETW Providers, such as the Microsoft-Windows-LDAP-Client, are contained in a searchable Add Provider library that is located in the ETW Providers toolbar on the Live Trace tab of the New Session dialog.
To learn more about how to configure common provider settings, see the Common Provider Configuration Settings Summary.
To learn more about how to configure settings for the Microsoft-PEF-NDIS-PacketCapture provider, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.
To learn more about how to configure settings for the Microsoft-Windows-NDIS-PacketCapture provider, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.