Built-In Trace Scenarios
All Message Analyzer installations include a built-in set of predefined Trace Scenarios that together provide you with a large range of tracing functionality, applicability, and usefulness. These scenarios can help you get started very quickly with capturing and processing live data. For example, you can simply select a built-in Trace Scenario and then start your Live Trace Session with no additional configuration required. However, the quickest way to start a Live Trace Session is to click the Start Local Trace button on the Start Page to immediately begin capturing network messages on your local computer at the Data Link Layer and above by using the Local Network Interfaces scenario. Other quick start methods that you can use to immediately launch a Live Trace Session and start capturing live data consist of the following:
Click one of the built-in Trace Scenarios in the Favorite Scenarios submenu, which is accessible from the Message Analyzer File menu.
Click one of the built-in Trace Scenarios in the Favorite Scenarios list, which is accessible from the Message Analyzer Start Page.
Trace Scenarios Library
Message Analyzer maintains all items of the Message Analyzer Trace Scenarios asset collection in a Library that is accessible to the Message Analyzer Sharing Infrastructure, where you can auto-synchronize with collection updates that are pushed out by a Microsoft web service or manually download them as required with the use of the Asset Manager, which is accessible from the global Message Analyzer Tools menu. The built-in Trace Scenarios utilize different combinations of providers to achieve specific results that are useful in common network, component, and device troubleshooting scenarios. You also have the option to specify your own provider combinations, by adding more providers to a built-in Trace Scenario or by specifying chosen system ETW Providers for a custom Trace Scenario that you create.
Some examples of how you might customize ETW-instrumented message provider combinations consist of using the following:
A single PEF provider, such as the Microsoft-PEF-NDIS-PacketCapture provider or the Microsoft-PEF-WFP-MessageProvider in a standalone configuration.
The Microsoft-Windows-NDIS-PacketCapture provider in a standalone configuration.
A PEF provider and a combination of one or more Windows system ETW providers.
The Microsoft-Windows-NDIS-PacketCapture provider and a combination of one or more Windows system ETW providers.
One or more Windows system ETW providers.
Operating System Dependencies
The built-in Trace Scenarios and the providers they utilize for capturing data are described in this section. Note that the Trace Scenarios that are available in the Select Scenario drop-down list in the New Session dialog are specific to the supported operating system you are running. For example, the Local Network Interfaces Trace Scenario in the Network category on computers running the Windows 7, Windows 8, or Windows Server 2012 operating system, uses the Microsoft-PEF-NDIS-PacketCapture provider; while computers running the Windows 8.1, Windows Server 2012 R2, Windows 10, or later operating system use the Microsoft-Windows-NDIS-PacketCapture provider in the Local Network Interfaces Trace Scenario. In Message Analyzer, when a Trace Scenario has an operating system dependency, it is specified as part of the scenario name in the Select Scenario drop-down list or it is included in the scenario description. In any case, the Select Scenario drop-down list in the New Session dialog will never contain any Trace Scenarios that do not apply to the supported operating system your computer is running.
Whenever you select a scenario in the Select Scenario drop-down list on the Live Trace tab of the New Session dialog, the providers that are included in each scenario display in the ETW Providers list, along with their Ids or globally unique identifiers (GUIDs). A short description of each Trace Scenario in this user Library is also included below the scenario name, and when there are environment differences, the operating system that supports the scenario is typically specified.
Configuring Remote vs Local Traces
There are differences in the way you can configure the Microsoft-Windows-NDIS-PacketCapture and Microsoft-PEF-NDIS-PacketCapture providers prior to running a trace, as follows:
Remote trace scenarios with the Microsoft-Windows-NDIS-PacketCapture provider — in remote scenarios that use this provider, you can specify the remote host adapters and/or virtual machine (VM) adapters from which to capture messages, the manner in which packets traverse the NDIS stack layers or Hyper-V-Switch extension layers on such remote adapters, respectively, and various unique filters such as Truncation, EtherTypes, and IP Protocol Numbers. You can configure these settings from the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture provider dialog, as described in Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.
Note
Although the Microsoft-Windows-NDIS-PacketCapture provider has remote capabilities, its ability to capture message data on local hosts is utilized in several other Message Analyzer Trace Scenarios, for example, when capturing messages at the Data Link Layer in the Local Network Interfaces (Win 8.1 and later) scenario.
Local trace scenarios with the Microsoft-PEF-NDIS-PacketCapture provider — in local scenarios that use this provider, you can specify local adapters from which to capture messages, the direction in which to capture them, and you can create up to two logically-chained Fast Filter Groups that you can assign to any selected adapter. You can configure these settings from the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog, as described in Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.
Note
In Message Analyzer v1.3 and later, the Microsoft-PEF-WFP-MessageProvider has the capability to capture messages from remote computers that are running the Windows 10 operating system. You can capture this data in any Trace Scenario that uses this provider by starting your Live Trace Session with this scenario from any computer that is running the Windows 8.1, Windows Server R2, Windows 10, or later operating system.
Built-In Trace Scenario Descriptions
The built-in Message Analyzer Trace Scenarios asset collection items that are included with every Message Analyzer installation are described in the table that follows, along with a functional description and possible usage for each scenario.
Table 4. Message Analyzer Built-In Trace Scenarios
| Trace Scenario | Provider Names | Functional Description | Possible Usage Configurations |
|---|---|---|---|
| Network Category | |||
| Local Network Interfaces (Win 8 and earlier) Capture local Link Layer traffic from NDIS. OS: Windows 7, Windows 8, and Windows Server 2012. |
Microsoft-PEF-NDIS-PacketCapture | Provides the capability to capture local traffic on the indicated operating systems at the Data Link Layer (wire level), which is the lowest available chokepoint in the network stack. Also enables you to configure Fast Filters that do the following: - Target specific packet data. - Reduce CPU processing and consumption of resources by passing less data. - Prevent higher disk I/O overhead. - Improve speed by avoiding filtering at the parsing engine level. Note that packets captured at the Data Link Layer can be encrypted by a protocol such as IPsec, which obfuscates cleartext transmissions. Also, data obtained from the Microsoft-PEF-NDIS-PacketCapture provider can be noisy, especially on a wireless connection, because it captures broadcast and other traffic below the Network layer. |
You might use the Local Network Interfaces scenario if you want to: - Capture raw data on the wire, such as Ethernet frames. - Specify the configuration of adapters from which to capture data. - Specify light-weight Fast Filters that enable you to locate messages that contain specified offset length patterns (OLP) or messages intended for specified target addresses. You can logically chain up to 3 Fast Filters within two separate filter Groups which you can then apply to selected adapters. More Information To learn more about configuring these settings, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog. |
| Local Network Interfaces (Win 8.1 and later) Capture local Link Layer traffic from NDIS. OS: Windows 8.1, Windows Server 2012 R2, and Windows 10. |
Microsoft-Windows-NDIS-PacketCapture | Provides the capability to capture local traffic at the Data Link Layer on computers running the Windows 8.1, Windows Server 2012 R2, Windows 10, and later operating systems. Also enables you to capture local VM traffic on Windows Server 2008 R2 and Windows Server 2012 computers. Configuration features include special Filters that do the following: - Truncate packets to reduce bandwidth consumption. - Establish how packets traverse the NDIS filter stack. - Isolate Ethernet frames that contain IP packets such as IPv4 and IPv6. - Filter for and return only IP packets that have certain payloads, for example, TCP, UDP, or ICMP. - Filter traffic based on one or more specified MAC or IP addresses. |
You might use the Local Network Interfaces scenario on a local computer running the Windows 8.1, Windows Server 2012 R2, Windows 10, or later operating system if you want to: - Capture raw data on the wire, such as Ethernet frames. - View only the packet headers for a particular protocol, through truncation. - Monitor NDIS filter layers to determine whether packets are being dropped. - Specify the direction in which packets traverse the NDIS filter layers, to isolate inbound or outbound traffic. - Filter for packets that are intended for a particular address or that contain specific payload types. Tip: You can use the Microsoft-Windows-NDIS-PacketCapture provider to capture traffic from not only local computers but remote computers as well. See Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog for more information. |
| Loopback and Unencrypted IPSEC Captures above IPv4/IPv6 layer using the Windows Filtering Platform. Exposes loopback traffic in two directions and unencrypted IPSEC traffic. OS: Windows 7 and later. |
Microsoft-PEF-WFP-MessageProvider | The WFP capture system does the following in this scenario: - Captures loopback traffic and unencrypted IPsec traffic. - Supports data capture at various points in the Windows kernel TCP/IP stack, for example, above the IP/Network layer. - Logs structured packet data as ETW events for application protocol analysis and traffic monitoring. - Provides raw binary data. - Enables you to configure Fast Filters that focus the retrieval action of the Microsoft-PEF-WFP-MessageProvider. - Enables you to log discarded packet events. Note: If you select the Select Discarded Packet Events check box on the Provider tab in the Advanced Settings – Microsoft-PEF-WFP-MessageProvider dialog, any Fast Filter or WFP Layer Set filter that you have also specified will not apply to packet events that are discarded. |
You might use the Loopback and Unencrypted IPSEC scenario with the Microsoft-PEF-WFP-MessageProvider if you want to: - Focus on troubleshooting local application communication issues via loopback traffic, for example, between a SQL Server and a web server. - Focus on troubleshooting IP security issues by capturing and analyzing unencrypted IPSec traffic. - Isolate traffic above the IP/Network layer and minimize broadcast and other lower-layer noise. - Isolate inbound or outbound TCP/IP traffic for IPv4 and IPv6. - Specify light-weight port and address Fast Filters that enable you to select specific messages to capture. - Troubleshoot discarded packet issues. - Target a computer running the Windows 10 operating system for remote capture in a Message Analyzer v1.3 or later installation, from a computer that is running the Windows 8.1, Windows Server R2, or Windows 10 operating system. Tip: You can also use the New-PefTargetHost PowerShell cmdlet to capture traffic on a remote Windows 10 computer with the Microsoft-PEF-WFP-MessageProvider. For more information, see Automating Tracing Functions with PowerShell. |
| Pre-Encryption for HTTPS Capture HTTPS client-side unencrypted traffic by using the Web Proxy-Fiddler provider. |
Microsoft-PEF-WebProxy | Provides the ability to capture Application Layer/HTTP client-side browser traffic prior to encryption. The Pre-Encryption for HTTPS Trace Scenario does not capture data from lower layers, such as the Transport layer or below. As a result, you may not capture all HTTP traffic of interest unless you run a Loopback and Unencrypted IPSEC or Local Network Interfaces trace. Note that the Microsoft-Pef-WebProxy provider will not capture traffic to and from a web browser unless you configure Internet options to use a proxy server for the LAN. Important: To use the Microsoft-Pef-WebProxy provider, you must have the Fiddler library from Telerik installed. If you have not already installed this library, you can download it here. For more information, see Microsoft-PEF-WebProxy Provider. |
You might use the Pre-Encryption for HTTPS scenario if you need to: - Capture all HTTP traffic to and from a web browser in unencrypted format. - Troubleshoot Web server and client performance issues. - Filter HTTP traffic based on a hostname URL or a particular port number, such as 80 or 443. - View various sets of HTTP statistics, such as the number of requests and responses, reason phrases, status codes, IDs, host URIs, ports, query strings, server response times, and so on. - Specify a security certificate to capture HTTPS traffic on a particular site where it is necessary for Fiddler to provide such a certificate. - Configure Fiddler to reuse client and/or server connections for performance improvements. |
| Local Loopback Network Capture loopback network traffic that references the loopback addresses of 127.0.0.1 and ::1. If the traffic uses one of the local IP addresses, the scenario should be updated to include that address. Display addresses with the IPConfig /all command. |
Microsoft-PEF-WFP-MessageProvider | Passes only loopback traffic that uses the IPv4 and IPv6 loopback addresses. Will also include loopback traffic that uses a local IP address if you specify a Fast Filter that contains that address. | The provider configuration for this scenario, which includes the use of the Advanced Settings – Microsoft-Pef-WFP-MessageProvider dialog, enables you to do the following: - Focus on troubleshooting local application communication issues via loopback traffic, for example, between a SQL Server and a web server. - Focus on inbound loopback traffic only for IPv4 and IPv6. |
| Network Tunnel Traffic and Unencrypted IPSEC Capture network traffic in the VPN/DirectAccess tunnel by using the Microsoft-PEF-WFP-MessageProvider. Also capture unencrypted IPSEC traffic. |
Microsoft-PEF-WFP-MessageProvider | In this scenario, the Microsoft-PEF-WFP-MessageProvider captures VPN, Direct Access, and IPSEC traffic. You can also use this scenario to remove loopback traffic. However, you must manually specify Fast Filters for IPv4 and IPv6 to remove the loopback traffic, for example, specify !127.0.0.1 for the IPv4 filter and !::1 for the IPv6 filter.You can also realize improved performance in this scenario because it excludes traffic from the Network Layer and below. |
The provider configuration for this scenario, which includes the use of the Advanced Settings – Microsoft-Pef-WFP-MessageProvider dialog, enables you to do the following: - Focus on troubleshooting network tunnel traffic. - Focus on troubleshooting IP security issues by capturing unencrypted IPSEC traffic. - Isolate traffic above the IP/Network layer, and minimize broadcast and other lower-layer noise. - Isolate inbound or outbound TCP/IP traffic for IPv4 and IPv6. - Specify light-weight port and address Fast Filters that enable you to select specific messages to capture. - Target a computer running the Windows 10 operating system for remote capture in a Message Analyzer v1.3 or later installation, from a computer that is running the Windows 8.1, Windows Server R2, or Windows 10 operating system. |
| Pre-Encrypted HTTPS Direct Captures HTTP directly from the Microsoft-Windows-WinInet provider for enhanced HTTPS troubleshooting. OS: Windows 10 and later. |
Microsoft-Windows-WinInet-Capture | To capture HTTPS traffic with this scenario, you must be running Message Analyzer with elevated (Administrative) privileges. Use as an alternative to the Microsoft-PEF-WebProxy/Fiddler provider in the Pre-Encryption for HTTPS scenario, to allow better interoperability with web servers that require security certificates. This is because the Microsoft-Windows-WinInet provider captures HTTPS request and response messages as events, at a place where encrypted packets are already decoded. The WinInet provider enables you to filter for events based on Keyword and Level configurations only, as specified in the Advanced Settings – Microsoft-Windows-WinInet dialog for this provider. |
The provider configuration for this scenario, which includes use of the Advanced Settings – Microsoft-Windows-WinInet dialog, enables you to do the following: - Capture data live with Message Analyzer in the Pre-Encrypted HTTPS Direct scenario, or use Windows in-box tools such as NetSh or Logman to capture HTTPS messages unencrypted and generate an ETL file that you can load and parse with Message Analyzer. Note: The Microsoft-Windows-WinInet provider is included with every installation of the Windows 10 operating system. - Better accommodate some web server configurations that are less friendly to the Windows-PEF-WebProxy/Fiddler provider in the Pre-Encryption for HTTPS scenario. - Capture HTTPS traffic directly with computers that restrict Fiddler installations. Specify provider Level and/or Keyword filter settings, such as: - Event packets that contain Critical, Error, Warning, Information, or Verbose error details, as described in System ETW Provider Event Keyword/Level Settings. - WININET_KEYWORD_SEND — enables you to filter for outbound event packets. - WININET_KEYWORD_RECEIVE — enables you to filter for inbound event packets. - WININET_KEYWORD_PII_PRESENT — enables you to filter for event packets that possibly contain private information. - WININET_KEYWORD_PACKET — not used in this scenario. - Microsoft-Windows-WinInet-Capture/Analytic — not used in this scenario. |
| Remote Network Interfaces Remote capture on Link Layer. OS: target machines with Windows 8.1, Windows Server 2012 R2, and Windows 10. |
Microsoft-Windows-NDIS-PacketCapture | Enables you to take advantage of the remote tracing capabilities of the Microsoft-Windows-NDIS-PacketCapture provider to capture traffic on a remote computer running the Windows 8.1, Windows Server 2012 R2, Windows 10, or later operating system at the Data Link Layer. With this provider, you can do the following: - Target specific remote hosts on which to capture traffic. - Specify the remote host adapters and/or VM adapters on which to capture data. - Create special packet and address filtering configurations. |
You might use the Remote Network Interfaces scenario if you want to: - Capture raw Ethernet frames remotely. - Isolate traffic on a particular remote Windows 8.1, Windows Server 2012 R2, or Windows 10 host that you specify. - Isolate traffic on a specified host adapter or VM adapter on a remote Windows 8.1, Windows Server 2012 R2, or Windows 10 computer. Important: If you want to capture traffic from a specific remote VM, you will need to select the VM in the tree grid section of the Advanced Settings dialog and then specify a filter based on the VM MAC Address to isolate the data. Otherwise, you may capture Hyper-V-Switch traffic that is destined for all VMs that are serviced by the switch, given that a Hyper-V-Switch driver cannot of itself distinguish between VMs. - Specify packet traversal paths and filters for NDIS stack and Hyper-V-Switch extension layers, for example, when troubleshooting remotely dropped packets. - Perform special filtering that isolates message headers, messages that contain a particular type of payload, or messages intended for a particular physical or network address. More Information To learn more about configuring these settings, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog. Tip: You can capture remote traffic with the Microsoft-Windows-NDIS-PacketCapture provider in promiscuous mode. For further details, see Configuring a Remote Capture. |
| Remote Network Interfaces with Drop Information Remote capture on Link Layer including event data to indicate dropped messages. Truncation is set to 128 bytes. OS: target machines with Windows 8.1, Windows Server 2012 R2, and Windows 10. |
Microsoft-Windows-NDIS-PacketCapture Microsoft-Windows-WFP Microsoft-Windows-NdislmPlatformEventProvider Microsoft-Windows-TCPIP Microsoft-Windows-Hyper-V-VmSwitch Microsoft-Windows-Qos-Pacer Microsoft-Windows-MsLbfoEventProvider Microsoft-Windows-Winsock-AFD |
Enables you to take advantage of the remote tracing capabilities of the Microsoft-Windows-NDIS-PacketCapture provider to capture traffic on a remote computer running the Windows 8.1, Windows Server 2012 R2, Windows 10, or later operating system, in addition to also capturing dropped packet event information. | You might use the Remote Network Interfaces with Drop Information scenario if you want to: - Utilize the remote capabilities of the Microsoft-Windows-NDIS-PacketCapture provider, as previously described. - Log dropped packet events, the firewall rules that may have caused them to be dropped, and other drop event information. |
| SASL LDAP pre-encryption Capture LDAP events that are already decoded. OS: target machines with Windows 7 or later. |
Microsoft-Windows-LDAP-Client | Capture pre-encrypted LDAP frames and other information by using the LDAP client provider. | You can use the SASL LDAP pre-encryption scenario if you want to troubleshoot LDAP traffic to and from the Active Directory service. The configuration of this provider includes numerous preset event Keyword bitmask filters that will return events such as the following, if they are triggered during LDAP operations: - Search - Write - SSL - Bind - Serverdown - Connect - Bytes_received - Bytes_sent To review the full event configuration, click the ellipsis control (...) to the right of the Keywords (Any) text box to open the ETW Keyword Filter Property dialog with the auto-configured Keyword selection displayed. More Information To learn more about configuring event Keyword settings, see System ETW Provider Event Keyword/Level Settings. |
| VPN Troubleshoot VPN related issues. OS: Windows 8.1, Windows Server 2012 R2, and Windows 10. |
Microsoft-Windows-NDIS-PacketCapture Microsoft-Windows-Ras-NdisWanPacketCapture Microsoft-Windows-NDIS Microsoft-Windows-IPSEC-SRV Microsoft-Windows-WFP Microsoft-Windows-TCPIP Note: Before running this scenario, deselect the Microsoft-Windows-NDIS provider in the ETW Providers list on the Live Trace tab of the New Session dialog, since the Microsoft-Windows-NDIS-PacketCapture provider duplicates its functions. |
Contains the Windows-NDIS-PacketCapture provider and other Windows system ETW providers that capture all Virtual Private Network (VPN) traffic on Windows 8.1, Windows Server 2012 R2, and Windows 10 computers. | You might use the VPN scenario if you want to: - Troubleshoot VPN issues by capturing Ethernet frames. - Utilize the configuration capabilities and settings that are described earlier in the Local Network Interfaces (Win 8.1 and later) scenario. More Information To learn more about configuring these settings, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog for the portions of this topic that apply to NDIS configuration and local tracing. |
| Wired Local Area Network (Win 8 and earlier) Troubleshoot LAN issues on Windows 7, Windows 8, and Windows Server 2012. Capture interface and component traffic to expose deep OS behavior. Similar to the “netsh trace start scenario=LAN” command. |
Microsoft-PEF-NDIS-PacketCapture Microsoft-Windows-L2NACP Microsoft-Windows-Wired-Autoconfig Microsoft-Windows-EapHost Microsoft-Windows-OneX Microsoft-Windows-NDIS Note: Before running this scenario, you can uncheck the Microsoft-Windows-NDIS provider in the ETW Providers list on the Live Trace tab of the New Session dialog, given that the Microsoft-PEF-NDIS-PacketCapture provider duplicates its functions. |
Includes the Microsoft-PEF-NDIS-PacketCapture provider and other system ETW providers that write events related to the local/physical network connection. | You might use the Wired Local Area Network (Win 8 and earlier) scenario if you want to: - Troubleshoot connection issues related to network adapter configuration and VPNs. - Utilize the configuration capabilities and settings that are described earlier in the Local Network Interfaces (Win 8 and earlier) scenario. More Information To learn more about configuring these settings, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog. |
| Wired Local Area Network (Win 8.1 and later) Troubleshoot LAN issues for Windows 8.1, Windows Server 2012 R2, and Windows 10. Capture interface and component traffic to expose deep OS behavior. Similar to the “netsh trace start scenario=LAN” command. |
Microsoft-Windows-NDIS-PacketCapture Microsoft-Windows-L2NACP Microsoft-Windows-Wired-Autoconfig Microsoft-Windows-EapHost Microsoft-Windows-OneX Microsoft-Windows-NDIS. Note: You can uncheck this provider in the ETW Providers list, given that the Microsoft-Windows-NDIS-PacketCapture provider has sufficient functionality for this scenario. |
Includes the Microsoft-Windows-NDIS-PacketCapture provider and other system ETW providers that write events related to the local/physical network connection on Windows 8.1, Windows Server 2012 R2, and Windows 10 computers. | You might use the Wired Local Area Network (Win 8.1 and later) scenario if you want to: - Troubleshoot connection issues related to network adapter configuration and VPNs on a Windows 8.1, Windows Server 2012 R2, or Windows 10 computer. - Utilize the configuration capabilities and settings that are described in the Local Network Interfaces (Win 8.1 and later) scenario. More Information To learn more about configuring these settings, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog for the portions of this topic that apply to NDIS configuration and local tracing. |
| Wireless Local Area Network (Win 8 and earlier) Troubleshoot LAN issues for Windows 7, Windows 8, and Windows Server 2012. Capture interface and component traffic to expose deep OS behavior. Similar to the “netsh trace start scenario=WLAN” command. |
Microsoft-PEF-NDIS-PacketCapture Microsoft-Windows-L2NACP Microsoft-Windows-EapHost Microsoft-Windows-OneX Microsoft-Windows-NDIS Microsoft-Windows-WLAN-Autoconfig Microsoft-Windows-NWifi Microsoft-Windows-VWifi Note: Before running this scenario, deselect the Microsoft-Windows-NDIS provider in the ETW Providers list on the Live Trace tab of the New Session dialog, since the Microsoft-PEF-NDIS-PacketCapture provider duplicates its functions. |
Includes the Microsoft-PEF-NDIS-PacketCapture provider and other system ETW providers that write events related to the wireless local area network connection. | You might use the Wireless Local Area Network (Win 8 and earlier) scenario if you want to: - Troubleshoot connection issues related to wireless network adapter configuration. - Utilize the configuration capabilities and settings that are described earlier in the Local Network Interfaces (Win 8 and earlier) scenario. More Information To learn more about configuring these settings, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog. |
| Wireless Local Area Network (Win 8.1 and later) Troubleshoot LAN issues on Windows 8.1, Windows Server 2012 R2, and Windows 10. Capture interface and component traffic to expose deep OS behavior. Similar to the “netsh trace start scenario=WLAN” command. |
Microsoft-Windows-NDIS-PacketCapture Microsoft-Windows-L2NACP Microsoft-Windows-EapHost Microsoft-Windows-OneX Microsoft-Windows-NDIS Microsoft-Windows-WLAN-Autoconfig Microsoft-Windows-NWifi Microsoft-Windows-VWifi Note: Before running this scenario, deselect the Microsoft-Windows-NDIS provider in the ETW Providers list on the Live Trace tab of the New Session dialog, since the Microsoft-Windows-NDIS-PacketCapture provider duplicates its functions. |
Includes the Microsoft-Windows-NDIS-PacketCapture provider and other system ETW providers that write events related to the wireless local area network connection on Windows 8.1 or Windows Server 2012 R2 computers. | You might use the Wireless Local Area Network (Win 8.1 and later) scenario if you want to: - Troubleshoot connection issues related to wireless network adapter configuration. - Utilize the configuration capabilities and settings that are described earlier in the Local Network Interfaces (Win 8.1 and later) scenario. More Information To learn more about configuring these settings, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog for the portions of this topic that apply to NDIS configuration and local tracing. |
| Device Category | |||
| Bluetooth (Win 8 and later) Troubleshoot Bluetooth issues. |
Microsoft-Windows-BTH-BTHUSB | Contains Windows ETW providers that capture events related to Bluetooth devices. | You might use the Bluetooth scenario to troubleshoot a Bluetooth connection, pairing, and other issues, such as data display. |
| USB2 Troubleshoot USB 2 issues. OS: Any supported. |
Microsoft-Windows-USB-USBPORT Microsoft-Windows-USB-USBHUB |
Consists of two Windows providers that capture events related to USB2 devices. | You might use the USB2 scenario to troubleshoot any device that is plugged into a USB2 port. |
| USB3 USB tracing for USB 3 host controllers (USB 2 or USB 3 devices). OS: Windows 8/Windows Server 2012 and later. |
Microsoft-Windows-USB-USBXHCI Microsoft-Windows-USB-UCX Microsoft-Windows-USB-USBHUB3 |
Contains three Windows providers that capture events related to USB3 devices. | You might use the USB3 scenario to troubleshoot any device that is plugged into a USB3 port. |
| System Category | |||
| RPC Troubleshoot issues related to RPC framework. |
Microsoft-Windows-RPC | Contains a single Windows provider that captures events from the remote procedure call (RPC) framework, including errors and other information (see the Keyword configuration for this provider). | You might use the RPC scenario to troubleshoot distributed programs that use RPC. |
| File Sharing Category | |||
| SMB2 Client And Firewall Capture SMB2 client provider traffic with headers only, combined with the Microsoft-PEF-WFP-MessageProvider. Associate network traffic with SMB2 client traffic. OS: Windows 8, Windows Server 2012, or later. |
Microsoft-Windows-SMBClient Microsoft-PEF-WFP-MessageProvider |
Provides full SMB information in addition to message data above the IP/Network Layer with the Microsoft-PEF-WFP-MessageProvider. | You might use the SMB2 Client And Firewall scenario to support SMB2 client and firewall-level tracing. |
| SMB2 Client Full Payloads Capture SMB2 client provider traffic with the payload; exposes data being transferred in Reads and Writes. Also capture encrypted and DMA-transferred SMB traffic. OS: Windows 8, Windows Server 2012, or later. |
Microsoft-Windows-SMBClient | Contains a single Windows provider that is extended for SMB client events. | You might use the SMB2 Client Full Payloads scenario to support tracing with SMB filtering so that you can see encrypted data from the SMB client. Provides better performance by filtering out data at the lower levels, such that only SMB packets are passed by the provider. Tip: The ETW Core configuration tab of the Advanced Settings dialog for all SMB providers in the Windows 8 File Sharing category exposes Keyword settings for additional filtering capabilities. |
| SMB2 Client Header Only Capture SMB2 client provider traffic without the payload; increases performance by capturing less data. Also capture encrypted and DMA-transferred SMB traffic. OS: Windows 8, Windows Server 2012, or later. |
Microsoft-Windows-SMBClient | Contains a single Windows provider that is extended for SMB client events. | You might use the SMB2 Client Header Only scenario to support tracing with SMB filtering so that you can retrieve only the headers from packets sent by the SMB client. By capturing only the SMB headers, that is, without the data payload, this provider delivers significant performance improvements. |
| SMB2 Server Full Payloads Capture SMB2 server provider traffic with the payload; exposes data being transferred in Reads and Writes. Also capture encrypted and DMA-transferred SMB traffic. OS: Windows 8, Windows Server 2012, or later. |
Microsoft-Windows-SMBServer | Contains a single Windows provider that is extended for SMB server events. | You might use the SMB2 Server Full Payloads scenario to support tracing with SMB filtering so that you can see encrypted data from the SMB server. Provides better performance by filtering out data at the lower levels, such that only SMB packets are passed by the provider. |
| SMB2 Server Header Only Capture SMB2 server provider traffic without the payload; increases performance by capturing less data. Also capture encrypted and DMA-transferred SMB traffic. OS: Windows 8, Windows Server 2012, or later. |
Microsoft-Windows-SMBServer | Contains a single Windows provider that is extended for SMB server events. | You might use the SMB2 Server Header Only scenario to support tracing with SMB filtering so that you can retrieve only the headers from packets sent by the SMB server. By capturing only the SMB headers, that is, without the data payload, this provider delivers significant performance improvements. |
More Information
To learn more about PEF provider capabilities, including capturing data with the network driver interface specification (NDIS) driver, see the PEF Message Providers topic.
To learn more about configuring provider settings, see Modifying Default Provider Settings.
To learn more about provider manifests, see Understanding Event Parsing with a Provider Manifest.
To learn more about managing the Message Analyzer Trace Scenarios asset collection, see Managing Trace Scenarios
See Also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for