Экспорт (0) Печать
Развернуть все
EN
Данное содержимое не доступно на вашем языке, используйте версию на английском языке.

Default Trace Scenarios

All Message Analyzer installations include a default set of Trace Scenarios that together provide you with a large range of tracing functionality, applicability, and usefulness. These scenarios can help you get started very quickly with capturing and processing live data. Moreover, you can click one of the default Trace Scenarios in the Quick Trace submenu, which is accessible from the File menu, to immediately launch a Live Trace Session and start capturing data. These Trace Scenarios are also maintained as an item collection Library that is accessible to the Message Analyzer Sharing Infrastructure, where you can synchronize with collection updates that are pushed out by a web service and download them as required from the Message Analyzer Start Page. The default Trace Scenarios utilize different combinations of providers to achieve specific results that are useful in common network, component, and device troubleshooting scenarios. These combinations can consist of any of the following types of ETW-instrumented message providers:

  • A single Microsoft-PEF provider.

  • A Microsoft-PEF provider and a combination of one or more Windows system ETW providers.

  • One or more Windows system ETW providers.

  • Other providers for various Windows components.

The default Trace Scenarios and the providers they utilize for capturing data are described in this section. Note that the Trace Scenarios that are available in the Select a trace scenario Library drop-down list in the New Session dialog are specific to the supported operating system you are running. For example, the Local Network Interfaces Trace Scenario in the Network category on computers running the Windows 7, Windows 8, or Windows Server 2012 operating system uses the Microsoft-PEF-NDIS-PacketCapture provider; while computers running later operating systems use the Microsoft-Windows-NDIS-PacketCapture provider in the Local Network Interfaces Trace Scenario. In Message Analyzer, when a Trace Scenario has an operating system dependency, it is specified as part of the scenario name in the Select a trace scenario Library drop-down list. In any case, the Select a trace scenario list in the New Session dialog will never contain any Trace Scenarios that do not apply to the supported operating system your computer is running. Lastly, there are differences in the way you can configure the Microsoft-Windows-NDIS-PacketCapture and Microsoft-PEF-NDIS-PacketCapture providers prior to running a trace, as follows:

  • Remote trace scenarios with the Microsoft-Windows-NDIS-PacketCapture provider — in remote scenarios that use this provider, you can specify the remote host adapters and/or virtual machine (VM) adapters from which to capture messages, the manner in which packets traverse the NDIS stack layers or Hyper-V-Switch extension layers on such remote adapters, respectively, and various unique filters such as Truncation, EtherTypes, and IP Protocol Numbers. You can configure these settings from the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture provider dialog, as described in Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.

    Note  Although the Microsoft-Windows-NDIS-PacketCapture provider has remote capabilities, its ability to capture message data on local hosts is utilized in several other Message Analyzer Trace Scenarios, for example, when capturing data at the Link Layer in the Local Network Interfaces (Win 8.1 and later) scenario.

  • Local trace scenarios with the Microsoft-PEF-NDIS-PacketCapture provider — in local scenarios that use this provider, you can specify local adapters from which to capture messages, the direction in which to capture them, and you can create up to two logically-chained Fast Filter Groups that you can assign to any selected adapter. You can configure these settings from the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog, as described in Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.

Whenever you select a scenario in the Select a trace scenario Library drop-down list on the Live Trace tab of the New Session dialog, the providers that are included in each scenario display in the ETW Providers list, along with their Ids (GUIDs). A short description of each Trace Scenario in the Library is also included below the scenario name, and when there are environment differences, the operating system that supports the scenario is specified. The default Trace Scenarios that are included with every Message Analyzer installation are described in the table that follows, along with a functional description and possible usage for each scenario.

Table 2. Message Analyzer default Trace Scenarios

Trace Scenario Provider Names Functional Description Possible Usage Configurations


Network Category

Local Network Interfaces (Win 8 and earlier)
Capture local Link Layer traffic from NDIS. OS: Windows 7/Windows 8/Windows Server 2012.

Microsoft-PEF-NDIS-PacketCapture

Provides the capability to capture local traffic on the indicated operating systems at the Link Layer (wire level), which is the lowest available chokepoint in the network stack. Also enables you to configure Fast Filters that do the following:

  • Target specific packet data.

  • Reduce CPU processing and consumption of resources by passing less data.

  • Prevent higher disk I/O overhead.

  • Improve speed by avoiding filtering at the parsing engine level.

Note that packets captured at the Link Layer can be encrypted by a protocol such as Ipsec, which obfuscates cleartext transmissions. Also, data obtained from the PEF-NDIS provider can be noisy, especially on a wireless connection, because it captures broadcast and other traffic below the Network layer.

You might use the Local Network Interfaces scenario if you want to:

  • Capture raw data on the wire, such as Ethernet frames.

  • Specify the configuration of adapters from which to capture data.

  • Specify light-weight Fast Filters that enable you to locate messages that contain specified offset length patterns (OLP) or messages intended for specified target addresses. You can logically chain up to 3 Fast Filters within two separate filter Groups which you can then apply to selected adapters.

    Note  To learn how to configure such settings, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.

Local Network Interfaces (Win 8.1 and later)
Capture local Link Layer traffic from NDIS. OS: Windows 8.1/Windows Server 2012 R2 and later.

Microsoft-Windows-NDIS-PacketCapture

Provides the capability to capture local traffic at the Link Layer on Windows 8.1 and Windows Server 2012 R2 computers. Also enables you to capture local VM traffic on Windows Server 2008 R2 and Windows Server 2012 computers.

Configuration features include special Filters that do the following:

  • Truncate packets to reduce bandwidth consumption.

  • Establish how packets traverse the NDIS filter stack.

  • Isolate Ethernet frames that contain IP packets such as IPv4 and IPv6.

  • Filter for and return only IP packets that have certain payloads, for example, TCP, UDP, or ICMP.

  • Filter traffic based on one or more specified MAC or IP addresses.

You might use the Local Network Interfaces scenario on a local computer running Windows 8.1 or Windows Server 2012 R2 if you want to:

  • Capture raw data on the wire, such as Ethernet frames.

  • View only the packet headers for a particular protocol, through truncation.

  • Monitor NDIS filter layers to determine whether packets are being dropped.

  • Specify the direction in which packets traverse the NDIS filter stack, to isolate inbound or outbound traffic.

  • Filter for packets that are intended for a particular address or that contain specific payload types.

Note  To learn how to configure such settings, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog for the portions of this topic that apply to NDIS configuration for local tracing.

Remote Network Interfaces
Remote capture on Link Layer. OS: target machines with Windows 8.1/Windows Server 2012 R2 and later.

Microsoft-Windows-NDIS-PacketCapture

Enables you to take advantage of the remote tracing capabilities of the Microsoft-Windows-NDIS-PacketCapture provider to capture traffic on a remote Windows 8.1 or Windows Server 2012 R2 computer (or on the local host) at the Link Layer. With this provider, you can do the following:

  • Target specific remote hosts on which to capture traffic.

  • Specify the host adapters and/or VM adapters on which to capture data.

  • Create special packet and address filtering configurations.

You might use the Remote Network Interfaces scenario if you want to:

  • Capture raw Ethernet frames remotely.

  • Isolate traffic on a particular remote Windows 8.1 or Windows Server 2012 R2 host that you specify.

  • Isolate traffic on a specified host adapter or VM adapter on a remote Windows 8.1 or Windows Server 2012 R2 computer.

  • Specify packet traversal paths and filters for NDIS and Hyper-V-Switch stack layers, for example, when troubleshooting remotely dropped packets.

  • Perform special filtering that isolates message headers, messages that contain a particular type of payload, or messages intended for a particular physical or network address.

    Note  To learn how to configure such settings, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.

Remote Network Interfaces with Drop Information
Remote capture on Link Layer including event data to indicate dropped messages. Truncation is set to 128 bytes. OS: target machines with Windows 8.1/Windows Server 2012 R2 and later.

Microsoft-Windows-NDIS-PacketCapture
Microsoft-Windows-WFP
Microsoft-Windows-NdislmPlatformEventProvider
Microsoft-Windows-TCPIP
Microsoft-Windows-Hyper-V-VmSwitch
Microsoft-Windows-Qos-Pacer
Microsoft-Windows-MsLbfoEventProvider
Microsoft-Windows-Winsock-AFD

Enables you to take advantage of the remote tracing capabilities of the Microsoft-Windows-NDIS-PacketCapture provider to capture traffic on a remote Windows 8.1 or Windows Server 2012 R2 computer, in addition to also capturing dropped packet event information.

You might use the Remote Network Interfaces with Drop Information scenario if you want to:

  • Utilize the remote capabilities of the Microsoft-Windows-NDIS-PacketCapture provider, as previously described.

  • Log dropped packet events, the firewall rules that may have caused them to be dropped, and other drop event information.

Loopback and Unencrypted IPSEC
Captures above IPv4/IPv6 layer using the Windows Filtering Platform. Exposes loopback traffic in two directions and unencrypted IPSEC traffic. OS: Windows 7 and later.

Microsoft-PEF-WFP-MessageProvider

The WFP capture system does the following in this scenario:

  • Captures loopback traffic and unencrypted IPSec traffic.

  • Supports data capture at various points in the Windows kernel TCP/IP stack, such as the Network and Transport layers.

  • Logs structured packet data as ETW events for application protocol analysis and traffic monitoring.

  • Provides raw binary data.

  • Enables you to configure Fast Filters that focus the retrieval action of the PEF-WFP provider.

  • Enables you to log discarded packet events.

    Note  If you select the Select Discarded Packet Events check box on the Provider tab in the Advanced Settings – Microsoft-PEF-WFP-MessageProvider dialog, any Fast Filter or WFP Layer Set filter that you have also specified will not apply to packet events that are discarded.

You might use the Loopback and Unencrypted IPSEC scenario with the PEF-WFP-MessageProvider if you want to:

  • Focus on troubleshooting local application communication issues via loopback traffic, for example, between a SQL Server and a web server.

  • Focus on troubleshooting IP security issues by capturing and analyzing unencrypted IPSEC traffic.

  • Isolate traffic at the Transport and Network layers and minimize broadcast and other lower-layer noise.

  • Isolate inbound or outbound TCP/IP traffic for IPv4 and IPv6.Specify light-weight port and address Fast Filters that enable you to select specific messages to capture.

  • Troubleshoot discarded packet issues.

Local Loopback Network
Capture loopback network traffic that references the loopback addresses of 127.0.0.1 and ::1. If the traffic uses one of the local IP addresses, the scenario should be updated to include that address. Display addresses with the IPConfig /all command.

Microsoft-PEF-WFP-MessageProvider

Passes only loopback traffic that uses the IPv4 and IPv6 loopback addresses. Will include loopback traffic that uses a local IP address if you specify a Fast Filter that contains that address.

The provider configuration for this scenario, which includes the use of the Advanced Settings – Microsoft-Pef-WFP-MessageProvider dialog, enables you to do the following:

  1. Focus on troubleshooting local application communication issues via loopback traffic, for example, between a SQL Server and a web server.

  2. Focus on inbound loopback traffic only for IPv4 and IPv6.

Network Tunnel Traffic and Unencrypted IPSEC
Capture network traffic in the VPN/DirectAccess tunnel by using the Firewall provider. Also capture unencrypted IPSEC traffic.

Microsoft-PEF-WFP-MessageProvider

In this scenario, the PEF-WFP-MessageProvider captures VPN, Direct Access, and IPSEC traffic. You can also use this scenario to remove loopback traffic. However, you must manually specify Fast Filters for IPv4 and IPv6 to remove the loopback traffic, for example, specify !127.0.0.1 for the IPv4 filter and !::1 for the IPv6 filter.

You can also realize improved performance in this scenario because it excludes traffic from the Ethernet layer.

The provider configuration for this scenario, which includes the use of the Advanced Settings – Microsoft-Pef-WFP-MessageProvider dialog, enables you to do the following:

  1. Focus on troubleshooting network tunnel traffic.

  2. Focus on troubleshooting IP security issues by capturing unencrypted IPSEC traffic.

  3. Isolate traffic at the Transport layer and above, and minimize broadcast and other lower-layer noise.

  4. Isolate inbound or outbound TCP/IP traffic for IPv4 and IPv6.

  5. Specify light-weight port and address Fast Filters that enable you to select specific messages to capture.

Unencrypted HTTPS
Capture HTTPS client-side unencrypted traffic by using the Pef-Web Proxy-Fiddler provider.

Microsoft-PEF-WebProxy

Provides the ability to capture application layer/HTTP client-side browser traffic. The Web ProxyTrace Scenario does not capture data from lower layers, such as the Transport layer or below. As a result, you may not capture all HTTP traffic of interest unless you run a Loopback and Unencrypted IPSEC or Local Network Interfaces trace.

Note that the PEF-WebProxy provider will not capture traffic to and from a web browser unless you configure Internet options to use a proxy server for the LAN.

Important  To use the Pef-Web Proxy-Fiddler provider, you must have the Fiddler library from Telerik installed. If you have not already installed this library, you can download it here. For more information, see PEF-WebProxy Provider.

You might use the Unencrypted HTTPS scenario if you want to:

  • Capture all HTTP traffic to and from a web browser in unencrypted format.

  • Troubleshoot Web server and client performance issues.

  • Filter HTTP traffic based on a hostname URL or a particular port number, such as 80 or 443.

  • View various sets of HTTP statistics, such as the number of requests and responses, reason phrases, status codes, IDs, host URIs, ports, query strings, server response times, and so on.

  • View header fields to verify whether client caching is functioning.

Wired Local Area Network (Win 8 and earlier)
Troubleshoot LAN issues on Windows 7/Windows 8/Windows Server 2012. Capture interface and component traffic to expose deep OS behavior. Similar to the “netsh trace start scenario=LAN” command.

Microsoft-PEF-NDIS-PacketCapture
Microsoft-Windows-L2NACP
Microsoft-Windows-Wired-Autoconfig
Microsoft-Windows-EapHost
Microsoft-Windows-OneX
Microsoft-Windows-NDIS

Note  Before running this scenario, uncheck the Microsoft-Windows-NDIS provider in the ETW Providers list on the Live Trace tab of the New Session dialog, since the Microsoft-PEF-NDIS-PacketCapture provider duplicates its functions.

Includes the Microsoft-PEF-NDIS-PacketCapture provider and other system ETW providers that write events related to the local/physical network connection.

You might use the Wired Local Area Network (Win 8 and earlier) scenario if you want to:

  • Troubleshoot connection issues related to network adapter configuration and VPNs.

  • Utilize the configuration capabilities and settings that are described earlier in the Local Network Interfaces (Win 8 and earlier) scenario.

    Note  To learn how to configure such settings, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.

Wired Local Area Network (Win 8.1 and later)
Troubleshoot LAN issues for Windows 8.1/Windows Server 2012 R2 and later. Capture interface and component traffic to expose deep OS behavior. Similar to the “netsh trace start scenario=LAN” command.

Microsoft-Windows-NDIS-PacketCapture
Microsoft-Windows-L2NACP
Microsoft-Windows-Wired-Autoconfig
Microsoft-Windows-EapHost
Microsoft-Windows-OneX
Microsoft-Windows-NDIS

Includes the Microsoft-Windows-NDIS-PacketCapture provider and other system ETW providers that write events related to the local/physical network connection on Windows 8.1 or Windows Server 2012 R2 computers.

You might use the Wired Local Area Network (Win 8.1 and later) scenario if you want to:

  • Troubleshoot connection issues related to network adapter configuration and VPNs on a Windows 8.1 or Windows Server 2012 R2 computer.

  • Utilize the configuration capabilities and settings that are described in the Local Network Interfaces (Win 8.1 and later) scenario.

    Note  To learn how to configure such settings, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog for the portions of this topic that apply to NDIS configuration and local tracing.

Wireless Local Area Network (Win 8 and earlier)
Troubleshoot LAN issues for Windows 7/Windows 8/Windows Server 2012. Capture interface and component traffic to expose deep OS behavior. Similar to the “netsh trace start scenario=WLAN” command.

Microsoft-PEF-NDIS-PacketCapture
Microsoft-Windows-L2NACP
Microsoft-Windows-EapHost
Microsoft-Windows-OneX
Microsoft-Windows-NDIS
Microsoft-Windows-WLAN-Autoconfig
Microsoft-Windows-NWifi
Microsoft-Windows-VWifi

Note  Before running this scenario, deselect the Microsoft-Windows-NDIS provider in the ETW Providers list on the Live Trace tab of the New Session dialog, since the Microsoft-PEF-NDIS-PacketCapture provider duplicates its functions.

Includes the Microsoft-PEF-NDIS-PacketCapture provider and other system ETW providers that write events related to the wireless local area network connection.

You might use the Wireless Local Area Network (Win 8 and earlier) scenario if you want to:

  • Troubleshoot connection issues related to wireless network adapter configuration.

  • Utilize the configuration capabilities and settings that are described earlier in the Local Network Interfaces (Win 8 and earlier) scenario.

    Note  To learn how to configure such settings, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.

Wireless Local Area Network (Win 8.1 and later)
Troubleshoot LAN issues on Windows 8.1/Windows Server 2012 R2 and later. Capture interface and component traffic to expose deep OS behavior. Similar to the “netsh trace start scenario=WLAN” command.

Microsoft-Windows-NDIS-PacketCapture
Microsoft-Windows-L2NACP
Microsoft-Windows-EapHost
Microsoft-Windows-OneX
Microsoft-Windows-NDIS
Microsoft-Windows-WLAN-Autoconfig
Microsoft-Windows-NWifi
Microsoft-Windows-VWifi

Includes the Microsoft-Windows-NDIS-PacketCapture provider and other system ETW providers that write events related to the wireless local area network connection on Windows 8.1 or Windows Server 2012 R2 computers.

You might use the Wireless Local Area Network (Win 8.1 and later) scenario if you want to:

  • Troubleshoot connection issues related to wireless network adapter configuration.

  • Utilize the configuration capabilities and settings that are described earlier in the Local Network Interfaces (Win 8.1 and later) scenario.

    Note  To learn how to configure such settings, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog for the portions of this topic that apply to NDIS configuration and local tracing.

VPN
Troubleshoot VPN related issues. OS: Windows 8.1/Windows Server 2012 R2 and later.

Microsoft-Windows-NDIS-PacketCapture
Microsoft-Windows-Ras-NdisWanPacketCapture
Microsoft-Windows-NDIS
Microsoft-Windows-IPSEC-SRV
Microsoft-Windows-WFP
Microsoft-Windows-TCPIP

Contains the Windows-NDIS-PacketCapture provider and other Windows system ETW providers that capture all Virtual Private Network (VPN) traffic on Windows 8.1 or Windows Server 2012 R2 computers.

You might use the VPN scenario if you want to:

  • Troubleshoot VPN issues by capturing Ethernet frames.

  • Utilize the configuration capabilities and settings that are described earlier in the Local Network Interfaces (Win 8.1 and later) scenario.

    Note  To learn how to configure such settings, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog for the portions of this topic that apply to NDIS configuration and local tracing.


Device Category

USB2
Troubleshoot USB 2 issues. OS: Windows 7/Windows Server 2008 and later.

Microsoft-Windows-USB-USBPORT
Microsoft-Windows-USB-USBHUB

Consists of two Windows providers that capture events related to USB2 devices.

You might use the USB2 scenario to troubleshoot any device that is plugged into a USB2 port.

USB3
USB tracing for USB 3 host controllers (USB 2 or USB 3 devices). OS: Windows 8/Windows Server 2012 and later.

Microsoft-Windows-USB-USBXHCI
Microsoft-Windows-USB-UCX
Microsoft-Windows-USB-USBHUB3

Contains three Windows providers that capture events related to USB3 devices.

You might use the USB3 scenario to troubleshoot any device that is plugged into a USB3 port.

Bluetooth (Win 8 and later)
Troubleshoot Bluetooth issues.

Microsoft-Windows-BTH-BTHUSB
Microsoft-Windows-Bluetooth-BthLEEnum
Microsoft-Windows-BTH-BTHPORT
Microsoft-Windows-Bluetooth-HidBthLE
Microsoft-Windows-Bluetooth-Bthmini

Contains five Windows providers that capture events related to Bluetooth devices.

You might use the Bluetooth scenario to troubleshoot a Bluetooth connection, pairing, and other issues, such as data display.


System Category

RPC
Troubleshoot issues related to RPC framework.

Microsoft-Windows-RPC

Contains a single Windows provider that captures events from the remote procedure call (RPC) framework, including errors and other information (see the Keyword configuration for this provider).

You might use the RPC scenario to troubleshoot distributed programs that use RPC.


Windows 8 File Sharing Category

SMB2 Client Full Payloads
Capture SMB2 client provider traffic with the payload; exposes data being transferred in Reads and Writes. Also capture encrypted and DMA-transferred SMB traffic. OS: Windows 8/Windows Server 2012 or later.

Microsoft-Windows-SMBClient

Contains a single Windows provider that is extended for SMB client events.

You might use the SMB2 Client Full Payloads scenario to support tracing with SMB filtering so that you can see encrypted data from the SMB client. Provides better performance by filtering out data at the lower levels, such that only SMB packets are passed by the provider.

Tip  The ETW Core configuration tab of the Advanced Settings dialog for all SMB providers in the Windows 8 File Sharing category exposes Keyword settings for additional filtering capabilities.

SMB2 Client Header Only
Capture SMB2 client provider traffic without the payload; increases performance by capturing less data. Also capture encrypted and DMA-transferred SMB traffic. OS: Windows 8/Windows Server 2012 or later.

Microsoft-Windows-SMBClient

Contains a single Windows provider that is extended for SMB client events.

You might use the SMB2 Client Header Only scenario to support tracing with SMB filtering so that you can retrieve only the headers from packets sent by the SMB client. By capturing only the SMB headers, that is, without the data payload, this provider delivers significant performance improvements.

SMB2 Server Full Payloads
Capture SMB2 server provider traffic with the payload; exposes data being transferred in Reads and Writes. Also capture encrypted and DMA-transferred SMB traffic. OS: Windows 8/Windows Server 2012 or later.

Microsoft-Windows-SMBServer

Contains a single Windows provider that is extended for SMB server events.

You might use the SMB2 Server Full Payloads scenario to support tracing with SMB filtering so that you can see encrypted data from the SMB server. Provides better performance by filtering out data at the lower levels, such that only SMB packets are passed by the provider.

SMB2 Server Header Only
Capture SMB2 server provider traffic without the payload; increases performance by capturing less data. Also capture encrypted and DMA-transferred SMB traffic. OS: Windows 8/Windows Server 2012 or later.

Microsoft-Windows-SMBServer

Contains a single Windows provider that is extended for SMB server events.

You might use the SMB2 Server Header Only scenario to support tracing with SMB filtering so that you can retrieve only the headers from packets sent by the SMB server. By capturing only the SMB headers, that is, without the data payload, this provider delivers significant performance improvements.

SMB2 Client And Firewall
Capture SMB2 client provider traffic with headers only, combined with the Microsoft-PEF-WFP-MessageProvider. Associate network traffic with SMB2 client traffic. OS: Windows 8/Windows Server 2012 or later.

Microsoft-Windows-SMBClient
Microsoft-PEF-WFP-MessageProvider

Provides full SMB information in addition to data from the Transport layer with the Microsoft-PEF-WFP-MessageProvider.

You might use the SMB2 Client And Firewall scenario to support SMB2 client and firewall-level tracing.


More Information
To learn more about PEF provider capabilities, including capturing data with the network driver interface specification (NDIS) driver, see PEF Providers.
To learn more about configuring provider settings, see Creating and Modifying a Live Trace Session.
To learn more about provider manifests, see Obtaining Provider Manifests.
To learn more about managing the Trace Scenarios item collection, see Managing Trace Scenarios.

See Also

Была ли вам полезна эта информация?
(1500 символов осталось)
Спасибо за ваш отзыв
Показ:
© 2014 Microsoft