Export (0) Print
Expand All

Common Provider Configuration Settings Summary

This topic provides an overview of the types of filters that you can apply to the core providers that are used in the most common Trace Scenarios that Message Analyzer provides. Examples of settings for such filters are included in the Common Provider Configuration Settings table of this topic.

Selecting Data with Trace Provider Filtering

Message Analyzer enables you to select specific data from a Live Trace Session by modifying the settings of ETW providers that are included in Message Analyzer Trace Scenarios. These settings enable you to configure key filter configurations for Message Analyzer providers in the following common Trace Scenarios:

  • Local Network Interfaces (Windows 8 and earlier) — you can configure the following types of filtering for the Microsoft-PEF-NDIS-PacketCapture provider that is used in this scenario:

    • Fast filtering — enables you to filter message traffic based on offset-length patterns (OLPs), LinkLevelAddress, IPv4 address, and IPv6 address.

    • Adapter filtering — enables you to isolate traffic on specific adapters.

    • Combined filtering — enables you to create Groups of logically chained Fast Filters and assign them to specific adapters on your system.

  • Remote Network Interfaces — you can configure the following types of filtering for the Microsoft-Windows-NDIS-PacketCapture provider:

    • Adapter filtering — enables you to isolate traffic to specific adapters, including remote host adapters and adapters for virtual machines (VMs) that are serviced by a Hyper-V-Switch.

    • Driver filtering — enables you to isolate inbound or outbound traffic to remote host adapters and to specify the NDIS filter layers on which to intercept packets that traverse the NDIS stack contained in the adapter.

    • Switch filtering — enables you to specify the filter layers on which to intercept packets that traverse a remote Hyper-V-Switch Extension stack and you can also specify the direction in which packets traverse this stack.

    • Packet filtering — other filters that you can specify to modify the trace configuration on a remote host with the Microsoft-Windows-NDIS-PacketCapture provider include Truncation, EtherTypes, IP Protocol Numbers, MAC Addresses, and IP Addresses.

    Note  You can specify these same filter types in local Trace Scenarios that use the Microsoft-Windows-NDIS-PacketCapture provider, for example, the Local Network Interfaces (Windows 8.1 and later scenario. The difference is that you will be applying the indicated filters to host or VM adapters that exist on the local computer.

  • Loopback and Unencrypted IPSEC — you can configure the following types of filtering for the Microsoft-PEF-WFP-MessageProvider that is used in this scenario:

    Note  The Network Tunnel Traffic and Unencrypted IPSEC scenario also uses the PEF-WFP-MessageProvider and the same type of filtering specified below.

    • Fast filtering — enables you to filter messaging traffic based on IPv4 address, IPv6 address, TCPPort, and UDPPort values.

    • Transport layer filtering — enables you to isolate inbound and outbound transport layer message traffic for IPv4 and IPv6 transports.

    Note  You can also choose to select discarded packet events for logging.

  • Unencrypted HTTPS— you can configure the following types of filtering for the Microsoft-PEF-WebProxy provider that is used in this scenario:

    • HTTP filtering — enables you to filter for specified host names and port numbers.

    Note  You can also specify a certificate file to use for server authentication on HTTPS connections.

Fast Filters

You can modify the provider configuration in the Local Network Interfaces (Win 8 and earlier) and Loopback and Unencrypted IPSECTrace Scenarios by specifying low-level Fast Filters. Message Analyzer enables you to add simple filtering values as part of your Fast Filter configuration, as described in the Common Provider Configuration Settings table. Fast Filters reduce the data volume that is transported from kernel to user mode, which saves system resources and also improves Message Analyzer efficiency under heavy traffic loads.

You can apply Fast Filters in any Trace Scenario that uses the Microsoft-PEF-WFP-MessageProvider or Microsoft-PEF-NDIS-PacketCapture provider. Fast Filters for the Microsoft-PEF-WFP-MessageProvider are configurable from the Provider tab of the Advanced Settings – Microsoft-PEF-WFP-MessageProvider dialog that is accessible by clicking the Configure link for the Microsoft-PEF-WFP-MessageProvider that displays in the ETW Providers list when you select a Loopback and Unencrypted IPSEC Trace Scenario in the New Session dialog. Fast Filters for the Microsoft-PEF-NDIS-PacketCapture provider are configurable from the Provider tab of the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog that is accessible by clicking the Configure link for the Microsoft-PEF-NDIS-PacketCapture provider that displays in the ETW Providers list when you select a Local Network Interfaces Trace Scenario in the New Session dialog. These filters enable you to focus a provider’s message retrieval action at a lower level than a Session Filter, which makes them faster and more efficient.

For example, you can configure up to three Fast Filters per Group in the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog, and each filter can be any of the four filter types described earlier in this topic for the Local Network Interfaces scenario. If you specify more than one Fast Filter per Group, then you can choose to logically AND or OR the filters together. Thereafter, you can assign the filter Groups to specific adapters that are listed in the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog. Also note that filter Groups are logically ANDed together by default.

You can learn more about configuring Groups of Fast Filters and adapter assignment in Trace Scenarios that use the Microsoft-PEF-NDIS-PacketCapture provider by reviewing the topic Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog. However, some of the settings for adapter and Fast Filter configuration are briefly described in the configuration settings table in this section.

Adapter and Packet Filtering

You can modify the provider configuration in a Remote Network Interfaces Trace Scenario to isolate traffic to a particular remote host adapter or VM adapter, specify the traffic direction and NDIS filter layers on which to intercept packet traffic on host adapters, and specify the data path and Hyper-V-Switch extension layers on which to intercept packet traffic. You can also specify other special filters such as Truncation, EtherType, IP Protocol Number, MAC Address, and IP Address. These filters modify the scope of the data that you capture on a remote host with the Microsoft-Windows-NDIS-PacketCapture provider in a Remote Network Interfaces scenario. You can also apply these settings in other Trace Scenarios that use the Microsoft-Windows-NDIS-PacketCapture provider, which includes capturing data on a local host.

Configuration settings for the Microsoft-Windows-NDIS-PacketCapture provider are available in the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture dialog. You can open this dialog by clicking the Configure link for the Microsoft-Windows-NDIS-PacketCapture provider as described earlier, after you select a Remote Network Interfaces scenario.

You can learn more about capturing data from a remote host and how to use the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture dialog by reviewing the topic Capturing Data Remotely. However, some of the configuration settings for remote tracing are briefly described in the configuration settings table that is included in this section.

Note  Several other default Trace Scenarios use the Microsoft-Windows-NDIS-PacketCapture provider, for example, the Local Network Interfaces (Win 8.1 and later, Wired LAN (Win 8.1 and later, and VPN scenarios. However, the Microsoft-Windows-NDIS-PacketCapture provider in these scenarios does not have remote capabilities. As a result, you cannot configure Filter settings for remote adapters in the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture dialog, but for local adapters only. Also, note that you have the option to specify a considerable number of event Keyword filters from the ETW Core tab of the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture dialog, for example, events for dropped packets, response time, and diagnostics.

Common Provider Configuration Settings

The table that follows describes configuration settings that you can specify for ETW message providers in the following common Trace Scenario types:

  • Local Network Interfaces

  • Remote Network Interfaces

  • Loopback and Unencrypted IPSEC

  • Unencrypted HTTPS

Note  The default Trace Scenarios included with Message Analyzer can contain a combination of PEF and system ETW providers. By understanding how to configure settings for these provider types, as used in the common Trace Scenarios and described in the table that follows, you will also understand how to modify the providers in other default Trace Scenarios, as appropriate to your requirements.

Table 3. Common provider configuration settings

Default Trace Scenarios Configuration Settings Property or Feature Description

Local Network Interfaces
Capture local Link Layer traffic from NDIS

Adapters

In, Out

This feature is accessible from the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog. By selectively enabling or disabling the In and Out check boxes for adapters listed in this dialog, you can both enable specific adapters through which to capture message traffic and the direction in which to capture it. The adapters you can select in the dialog are enumerated on your system when the Microsoft-PEF-NDIS-PacketCapture provider is installed. By default, Message Analyzer enables local adapters for capturing data in both directions.

To prevent an adapter from capturing message traffic, simply deselect its In and Out check boxes.

Note  You can also isolate message traffic to a specific adapter by configuring a Fast Filter to contain its LinkLevelAddress, as described in the Fast Filters section of this table.

Fast Filters

Filter type

This feature is accessible from the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog. It enables you to use a drop-down list to select the type of filters you want to configure, a Group to contain them, and the adapters to assign them to when configuring a Local Network Interfaces scenario. The Fast Filters that you can specify consist of the following:

  • OLP — enables you to specify an offset length pattern (OLP) that filters for messages containing the pattern. For example, you might set an OLP to 34:8:7F to return only messages that contain this particular OLP.

    Operators that function with the OLP filter type consist of equal (=), not equal (!=), less than (<), and greater than (>).

    Note  As a result of complexities and the impact on performance, you should only configure a single OLP filter per adapter in the Microsoft-PEF-NDIS-PacketCapture provider settings, although different adapters can have different filters.

    To learn more about OLP filtering, see OLP Filters.

  • LinkLevelAddress — enables you to specify a Media Access Control (MAC) hardware address for which inbound and outbound traffic is targeted to a particular adapter device. You can specify a LinkLevelAddress in a six-byte, hexadecimal format, similar to the following example:  01-23-45-67-89-AB.

  • IPv4Address — enables you to isolate message traffic to a specified IPv4 address, by specifying a value such as the following in the text box to the right of the Filter type drop-down menu:  192.168.1.1

  • IPv6Address — enables you to isolate message traffic to a specified IPv6 address, by specifying a value such as the following in the text box to the right of the Filter type drop-down menu:  fe80::9de5:fc31:8856:58a8%11

To learn more about configuring Fast Filters for the Microsoft-PEF-NDIS-PacketCapture provider and assigning them to specific adapters, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.

Remote Network Interfaces
Remote capture on Link Layer

Adapters

Enabling

This feature is accessible from the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture dialog. By selecting the check boxes in this dialog for enabling host adapters and/or adapters for virtual machines (VMs) that are serviced by a Hyper-V-Switch, you can specify the adapters through which to capture remote traffic, and in so doing, enable those adapters to receive any filtering configurations that you specify in the Advanced Settings dialog. The adapters that you can select in the dialog are enumerated on your system when you connect to a specified remote host. By default, Message Analyzer enables all adapters in the Advanced Settings dialog. To prevent traffic from being captured on a listed adapter, you can simply deselect it.

Filters

The types of filtering configurations that you can apply in remote tracing scenarios consist of the following:

  • All Layers filter

  • Packet Truncation filter

  • Direction filter –

    • Ingress/Egress packet direction path through NDIS filter stack when applied to host adapters.

    • Ingress/Egress packet traversal path on the Hyper-V-Switch extension stack when applied to a switch adapter.

  • EtherType filter

  • IP protocol number filter

  • MAC Address filter

  • IP Address filter

The configuration for these filters is located in the Filters pane of the Advanced Settings dialog. From the dialog, you can choose the NDIS filter layers on which packets are intercepted in remote host adapters or on the Extension layers of a Hyper-V-Switch that services a remote VM adapter, for troubleshooting purposes. You can also set the direction in which to capture data on remote host adapters, and the packet traversal paths through a remote Hyper-V-Switch Extension stack. Other filters that you can specify include Truncation, EtherType, IP Protocol Numbers, MAC Address, and IP Address filters.

To learn more about how to configure such filters for a remote trace, see the Capturing Data Remotely and Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog topics.

Loopback and Unencrypted IPSEC
Windows Filtering Platform Tracing

WFP Layer Set

Provides the following layer set filters for Trace Scenarios that use the Microsoft-PEF-WFP-MessageProvider:

  • INBOUND_TRANSPORT_V4

  • OUTBOUND_TRANSPORT_V4

  • INBOUND_TRANSPORT_V6

  • OUTBOUND_TRANSPORT_V6

INBOUND_TRANSPORT_V4

Check box select/unselect

A kernel-mode TCP/IP stack filter that operates in the receive path at the Transport layer before any processing occurs at that layer. This layer is above IPsec processing at the Network layer and below Application Level Enforcement (ALE) layers, so when selected, this filter enables capture of all inbound packets at the Transport layer, with the exclusion of any that are dropped at the Network layer.

You can select or unselect this filter to capture or not capture TCP/IPv4 packets, respectively, at the Transport layer.

OUTBOUND_TRANSPORT_V4

Check box select/unselect

A kernel-mode TCP/IP stack filter that operates in the send path at the Transport layer before any processing occurs at that layer. This layer is above IPsec processing at the Network layer and below Application Level Enforcement (AlE) layers, so when selected, this filter enables capture of all outbound packets at the Transport layer, with the exclusion of any that are dropped at the Network layer.

You can select or unselect this filter to capture or not capture TCP/IPv4 packets, respectively, at the Transport layer.

INBOUND_TRANSPORT_V6

Check box select/unselect

A kernel-mode TCP/IP stack filter layer in the receive path that you can select or unselect to capture or not capture inbound TCP/IPv6 packets, respectively, at the Transport layer.

OUTBOUND_TRANSPORT_V6

Check box select/unselect

A kernel-mode TCP/IP stack filter layer in the send path that you can select or unselect to capture or not capture inbound TCP/IPv6 packets, respectively, at the Transport layer.

Fast Filters 2

FilterType

Improves performance — for example, when processing large volumes of traffic — by enabling you to filter out unwanted traffic via IP address and port filters. You can specify the type of Fast Filter you want to apply to a Loopback and Uencrypted IPSEC trace, by selecting it from a drop-down list that includes the following items:

  • IPv4Address —should be specified in a format similar to the following:  192.168.1.1.

  • IPv6Address — should be specified in a format similar to the following:  2001:4898:2b:3:d824:99e9:7371:31d9 or fe80::6e9c:edff:fe94:ec0011

  • TCPPort — should be specified in integer format, for example:  80.

  • UDPPort — should be specified in integer format, for example:  53.

Note  For tracing with the Microsoft-PEF-WFP-MessageProvider, the specified filter is applied only to the corresponding layer(s). For example:  IPv4Address==192.168.1.1 is applied to Transport_V4 inbound and outbound layers. There is no filter on the V6 counter parts. If the V6 layers are enabled, you will see frames of IPv4 and IPv6 packets. If you want to see only IPv4 messages, then enable only the IPv4 layers in the WFP Layer Set; then configure a Fast Filter with an IPv4Address.

TCP and UDP port numbers should be integers between 0 and 65535.

Filter text box

Provides the entry point where you specify a value for the type of filter that you selected in a Fast Filter drop-down menu.

Unencrypted HTTPS
Capture HTTPS client-side unencrypted traffic with the Web Proxy-Fiddler provider

HostnameFilter

Host address in the format: www.bing.com

Filters HTTP packets from a web server based on the host name.

PortFilter

Port number in a format similar to the following: 80

Filters packets by numbered ports only.

HTTPS Client Certificate

A certificate file in *.cer format.

Specifies the .cer file for Fiddler to return in a given session. Used for server certification validation.

System ETW Providers

Event Keyword filter

Keywords(All)

Keywords(Any)

Select event Keywords from the ETW Keyword Filter Property dialog that is accessible from the ETW Core tab of the Advanced Settings dialog for a particular message provider. Predefined Keywords in the ETW Keyword Filter Property dialog are selectable by Value name and translate to 16-digit hexadecimal numbers, for example:  0x00000000000000C0.

Level filter

Critical

Error

Warning

Information

Verbose

Settings enable filtering based on the severity or verbosity of events.


2When capturing data in Trace Scenarios that use the Microsoft-PEF-WFP-MessageProvider, setting a Fast Filter such as IPAddress == 192.168.1.1 does not prevent IPv6 traffic from being captured because IPv4 and IPv6 messages are retrieved from separate layers in these scenarios and the Fast Filter applies only to the IPv4 layer.



More Information
To learn more about creating Fast Filter and adapter filter configurations in Local Network Interfaces scenarios, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.
To learn more about how to select adapters and specify filters for a Live Trace Session that uses a Remote Network Interfaces Trace Scenario, see the Capturing Data Remotely and Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog topics.
To learn more about configuring system ETW Providers with event Keyword and Level filters, see System ETW Provider Configuration Settings.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft