Экспорт (0) Печать
Развернуть все
EN
Данное содержимое не доступно на вашем языке, используйте версию на английском языке.
Эта тема еще не получила оценку - Оценить эту тему

Using the Network Tracing Features

The procedures in this section encapsulate some of the main functionalities described in the Capturing Message Data section, which includes settings that change the scope of data retrieval. Although you can quickly start a Trace Session with a single click of any Trace Scenario in the Quick Trace area of the Start Page, you might want to specify your own Trace Session configuration settings before starting a trace. You can do this by clicking the Configure Capture/Trace icon in the Quick Trace area of the Start Page to open the Trace Session configuration interface, from where you can specify settings. You can also access the configuration settings for a Trace Session by clicking Capture/Trace in the Backstage, as specified in the procedures of this section. These procedures consist of the following:

Configure and Run a Local Link Layer Trace — provides an example of how to modify the default Local Link Layer (Windows 8/Windows Server 2012 or earlier) Trace Scenario by adding a combination of filters to the Microsoft-PEF-NDIS-PacketCapture provider configuration that restrict the scope of data retrieval to only messages that pass the defined filtering criteria.

Configure and Run a Firewall Trace — provides an example of how to modify the default Firewall Trace Scenario by setting the Microsoft-PEF-WFP-MessageProvider configuration to capture only HTTP packets through a Transport layer port filter.

Configure and Run a Web Proxy Trace — provides an example of how to modify the default Web Proxy Trace Scenario by defining filtering criteria that enables you to monitor HTTP message exchanges between a browser and web server.

Capture Traffic on a Remote Host — provides an example of how to use the default Remote Link Layer (to Windows 8.1/Windows Server 2012 R2) Trace Scenario to capture data on a remote Windows 8.1 or Windows Server 2012 R2 host. Includes specifying special filtering settings for the Hyper-V Switch and a target virtual machine (VM) that it services.

Design and Run a Custom Trace Scenario — provides instructions on how to create, save, and run a Trace Scenario template that monitors the manual Group Policy update process on the local machine for signs of any issues with Lightweight Directory Access Protocol (LDAP) communications.

Configure and Run a Local Link Layer Trace

In the following procedure, you will select the default Local Link Layer (Windows 8/Windows Server 2012 or earlier) Trace Scenario and then configure the Microsoft-PEF-NDIS-PacketCapture provider to isolate captured messages to a particular network adapter device and a specific IPv4 address. You might use a trace configuration such as this to minimize disk and CPU impact while capturing data on a busy computer that is overwhelmed with traffic.

To configure and run a Local Link Layer trace scenario

  1. From the Start menu or taskbar of your computer, click the Microsoft Message Analyzer icon to start Message Analyzer.

  2. Click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface.

  3. In the Trace Scenarios pane of the Trace Session configuration, under Network, click Local Link Layer (Windows 8/Windows Server 2012 or earlier).

    The Trace Scenario Configuration pane is populated with the Microsoft-PEF-NDIS-PacketCapture provider Name and Id (GUID), along with the ETW Provider Core Configuration.

  4. In the provider list of the Trace Scenario Configuration pane, next to the Microsoft-PEF-NDIS-PacketCapture provider Id, click the Configure link to display the Microsoft-PEF-NDIS-PacketCapture Advanced Settings dialog.

  5. In the System Network tree grid of the Advanced Settings dialog, specify a physical or wireless adapter on which to capture data, by selecting the In and Out direction check boxes of the adapter.

    The Microsoft-PEF-NDIS-PacketCapture provider is set to capture both inbound and outbound traffic on the adapter device that you specified.

  6. In the Fast Filters pane of the Advanced Settings dialog under Group 1, click the drop-down arrow next to the Fast Filter 1 designator to display the filter type menu items and then select the IPv4Address filter type from the menu.

  7. In the text box to the right of the filter type drop-down, enter an IPv4 address in a format similar to the following:

    192.168.1.1

  8. In the Fast Filters pane of the Advanced Settings dialog under Group 2, click the drop-down arrow next to the Fast Filter 1 designator to display the filter type menu items and then select the LinkLevelAddress filter type from the menu.

  9. In the text box to the right of the filter type drop-down, enter a MAC address for a different adapter in a format similar to the following:

    !=00-2F-39-7E-1F-36

    This filter blocks traffic from reaching the adapter for which you specified the negated LinkLevelAddress. Note that you can also achieve this same result by simply deselecting the In and Out directional check boxes on the adapter for which you want to block traffic. However, this example shows you a simple way to utilize filter Groups.

  10. In the Advanced Settings dialog, highlight the System Network tree grid row that contains the adapter device you initially specified and then click the Apply To Highlighted button in Group 1 of the Fast Filters pane to assign the filter Group to the adapter.

    Note  When you click the Apply To Highlighted button, the name of the adapter device to which the Fast Filter Group is applied appears next to the Target label for the corresponding Group.

  11. In the Advanced Settings dialog, highlight the System Network tree grid row that contains the adapter device for which you specified a negated LinkLevelAddress filter and then click the Apply To Highlighted button in Group 2 of the Fast Filters pane to assign the filter Group to the adapter.

    The Microsoft-PEF-NDIS-PacketCapture provider is now configured to do the following in your Trace Session:

    • Isolate trace data to only the adapter device that you initially specified.

    • Block all packets to the device for which you created a negated LinkLevelAddress filter.

    • Target data for a specific IPv4 address.

    • Reduce message count and improve trace performance.

    When packets arrive that are intended for the adapter device that you initially specified, the filter configuration for Group 1 is applied to those packets. When packets arrive that are intended for the second adapter device, the filter configuration for Group 2 is applied to those packets.

  12. Click OK in the Advanced Settings dialog to close it.

  13. In the Trace Session configuration, you can optionally enter a name for the session in the Session name text box.

    You can also add a comment in the Comment text box to provide a description that reflects the Trace Session configuration.

  14. Click the green arrow on the Start With button to automatically select the default Analysis Grid viewer and start capturing data.

    The captured data begins to accumulate in the Analysis Grid on the Message Analyzer Home tab.

  15. While Message Analyzer is capturing data, attempt to reproduce any conditions that are related to a particular issue you are having on the target computer.

  16. Stop the trace at a suitable point by clicking the Stop button in the Session group of the ribbon on the Message Analyzer Home tab.

  17. In the Analysis Grid, right-click the Diagnosis column header and select Group from the menu that displays to group any error messages you might have received, for further analysis.

Configure and Run a Firewall Trace

In the following procedure, you will select the default Firewall Trace Scenario and configure a Fast Filter to retrieve data from TCPPort 80, thereby filtering for HTTP traffic only. You might use a Trace Scenario such as this on a client computer to limit your capture to HTTP traffic only, along with the protocol stack that supports the HTTP operations. This can help you to troubleshoot webpage performance, detect issues with HTTP connectivity, or debug a website based on HTTP responses sent to the client. Also, the filter employed in this scenario minimizes the impact on disk I/O and the CPU because the filter selects specific messages for capture, resulting in reduced message count and thus better performance.

Note  In this scenario, the TCPPort filter will pass messages that transit both TCP source and destination ports.

To configure and run a Firewall trace scenario

  1. On a client computer, click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface.

  2. In the Trace Scenarios pane of the Trace Session, under Network, click the Firewall scenario.

    The Trace Scenario Configuration pane is populated with the default configuration settings for the Microsoft-PEF-WFP-MessageProvider.

  3. Under PEF WFP Settings, click the Fast Filter 1 node to expand it, click the down arrow to the right of the Filter Type property box, and select the TCPPort item in the drop-down list.

  4. In the text box to the right of the Filter property box, enter the number 80.

    The PEF-WFP provider is now configured to filter for HTTP packets at the Transport layer.

  5. In the Trace Session configuration, you can optionally enter a name for the Trace Session in the Session name text box.

    You can also add a comment in the Comment text box to provide a description that reflects the Trace Session configuration.

  6. Click the green arrow on the Start With button to automatically select the default Analysis Grid viewer and start capturing data.

    The captured data begins to accumulate in the Analysis Grid on the Message Analyzer Home tab.

  7. While Message Analyzer is capturing data, attempt to reproduce any conditions that may be related to HTTP connectivity or performance problems, for example, by navigating to a web server where the client experiences these issues.

  8. Stop the trace at a suitable point by clicking the Stop button in the Session group of the ribbon on the Message Analyzer Home tab.

  9. In the Analysis Grid, right-click the Diagnosis column and select Group from the menu that displays to group TCP diagnostic messages you might have received, for further analysis.

  10. Review the HTTP StatusCodes for evidence of connection or performance issues on the server, as described in the HTTP Addendum of this documentation.

    Note  To view HTTP status data, you must add the HTTP.Response.StatusCode field to the Analysis Grid viewer column layout with the Column Chooser dialog, as described in Using the Column Chooser.

Configure and Run a Web Proxy Trace

In the following procedure, you will run the Web Proxy Trace Scenario on a client computer with a filter configuration that enables you to capture and monitor HTTP browser messages exchanged with a specified HTTP host that is slow or marginally responsive.

To configure and run a Web Proxy trace scenario

  1. Click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface.

  2. In the Trace Scenarios pane of the Trace Session, under Network, click the Web Proxy scenario.

    The Trace Scenario Configuration pane is populated with the default WebProxy Settings for the Microsoft-PEF-WebProxy provider along with the ETW Provider Core Configuration.

  3. In WebProxy Settings, specify the host name for the slowly responding web server in the text box to the right of the HostnameFilter property of the provider, in a format similar to the following:

    www.xxxxx.com.

  4. In the WebProxy Settings, specify an HTTP port number in the text box to the right of the PortFilter property of the provider, to ensure that you capture only HTTP traffic. Specify the port number in integer format, as indicated in the following examples:

    80 for HTTP, or 443 for HTTPS

    The Microsoft-PEF-WebProxy provider is now configured to retrieve HTTP packets that are exchanged with the specified web server.

  5. In the Trace Session configuration, you can optionally enter a name for the Trace Session in the Session name text box.

    You can also add a comment in the Comment text box to provide a description that reflects the Trace Session configuration.

  6. Click the green arrow on the Start With button to automatically select the default Analysis Grid viewer and start capturing data.

  7. Open a browser and establish a connection to the specified HTTP host.

    The trace data begins to accumulate in the Analysis Grid viewer on the Message Analyzer Home tab.

  8. Stop the trace at a suitable point by clicking the Stop button in the Session group of the ribbon on the Message Analyzer Home tab.

  9. In the Analysis Grid viewer, right-click the Diagnosis column and select Group from the menu that displays to group any diagnostic messages you might have received, for further analysis.

  10. Review the HTTP StatusCodes for evidence of connection or performance issues on the server, as described in the HTTP Addendum of this documentation.

    To view status data, you must add the HTTP.Response.StatusCode field to the Analysis Grid viewer column layout with the Column Chooser dialog, as described in Using the Column Chooser.

    Tip  You can Group the StatusCode column in the Analysis Grid to organize status codes into groups for ease of analysis.

Capture Traffic on a Remote Host

In the following procedure, you will run the Remote Link Layer (to Windows 8.1/Windows Server 2012 R2) Trace Scenario to capture traffic from a virtual machine (VM) that is serviced by a Hyper-V Switch on a remote Windows 8.1 or Windows Server 2012 R2 computer. In the procedure, you will select the Remote Link Layer scenario, connect with the remote host, and then use the Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog to specify special filtering configurations for the Hyper-V Switch and the VM from which you will capture remote message traffic.

To configure and run a Remote Link Layer trace

  1. Click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface.

  2. In the Trace Scenario Configuration pane, click the drop-down arrow of the Host combo box and then select the Connect to Remote Host… item.

  3. In the Input Host Name dialog that displays, specify the name of the remote host in the Enter Host Name text box and your authentication credentials in the User ID and Password text boxes. Click OK when finished.

    The remote host name should display in the Host combo box when you successfully connect to the host.

  4. In the Trace Scenarios Library of the Trace Session configuration, under Network, click Remote Link Layer (to Windows 8.1/Windows Server 2012 R2).

    The Trace Scenario Configuration pane is populated with the Microsoft-Windows-NDIS-PacketCapture provider Name and Id (GUID), along with the ETW Provider Core Configuration.

  5. In the provider list of the Trace Scenario Configuration pane, next to the Microsoft-Windows-NDIS-PacketCapture provider Id, click the Configure link to display the Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog.

    The tree grid section of the Advanced Settings dialog should be populated with the adapters, switches, and VMs that Message Analyzer discovered on the remote host.

  6. In the tree grid section of the Advanced Settings dialog, remove all selected adapters, switches, and VMs from configuration by deselecting the Machine check box.

  7. In the tree grid section of the Advanced Settings dialog, specify the VM on which to capture data by selecting the enabling check box in the second grid column for the target VM.

    The Microsoft-Windows-NDIS-PacketCapture provider is now set to capture traffic on the target remote VM only.

  8. For the Layer parameter in the Filters pane of the Advanced Settings dialog, select the All Layers check box to ensure that packets are intercepted at all Hyper-V-Switch extension layers and so that the filtering rules of each switch extension are applied to all packets that traverse the switch stack.

  9. For the Direction parameter in the Filters pane of the Advanced Settings dialog, select the Egress check box so that packets are intercepted on all Hyper-V-Switch extension layers, but only in the direction that you specified, which in this case is the Egress path that goes up the switch extensions stack.

    Selecting Egress only will result in faster switch port management and subsequently an improvement in performance.

  10. For the EtherType parameter in the Filters pane of the Advanced Settings dialog, specify the hexadecimal value 0800, without the “0x” designator, to target the IPv4 protocol.

  11. For the IP Protocol Numbers parameter in the Filters pane of the Advanced Settings dialog, specify the hexadecimal value 06, without the “0x” designator, to target the TCP protocol.

    The EtherType and IP Protocol Number settings that you specified will cause the remote trace to filter for and return only Ethernet frames that have IPv4 packet payloads, and of those IPv4 packets, only the ones that have TCP payloads.

  12. For the MAC Addresses parameter in the Filters pane of the Advanced Settings dialog, specify the MAC address of a target VM in a format similar to the following, to ensure that your Remote Link Layer trace returns remote traffic for the target VM only:

    10-60-4B-6D-8D-2D

  13. Click OK to close the Advanced Settings dialog.

  14. Start the remote trace by clicking the Start With button in the Trace Session configuration interface.

    Remote traffic from the specified VM begins to accumulate in the Analysis Grid viewer.

  15. Perform operations on the remote VM or attempt to reproduce any issues that may be occurring on the target VM, or on the Hyper-V-Switch that services it.

    For example, you may be concerned with packets being lost during message exchanges of a particular protocol on the VM. Because you have enabled all extension layers of the Hyper-V-Switch to intercept packets, then if any packets are being dropped by a switch extension layer, they should generate events that you can detect in Message Analyzer trace results.

  16. Stop the remote trace at a suitable point by clicking the Stop button in the Session group on the ribbon of the Message Analyzer Home tab, so that you can analyze your data.


More Information
To learn more about the extension filtering stack on a Hyper-V-Switch, see Overview of the Hyper-V Extensible Switch on MSDN.
To learn more about capturing traffic on a remote host and specifying adapter and filter configurations for the Microsoft-Windows-NDIS-PacketCapture provider, see Capturing Data Remotely.

Design and Run a Custom Trace Scenario

In the following procedure, you will create a custom Trace Scenario template that captures LDAP traffic to the local client computer during a manual Group Policy update. You can run the template file whenever it is necessary to ascertain whether a client computer is experiencing Group Policy update issues. The Trace Scenario template adds the Microsoft-Windows-LDAP-Client system ETW Provider to the trace configuration, so that LDAP-specific events can be captured. The events written by this provider can help you to better understand the state of the LDAP client when LDAP search, request, and response messages are sent during Group Policy update.

To design and run a custom Trace Scenario

  1. On the client computer, click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface.

  2. In the Trace Scenarios pane of the Trace Session configuration interface, under Network, click a Local Link Layer scenario that is appropriate for your Windows operating system.

    The Trace Scenario Configuration pane is populated with the Microsoft-PEF-NDIS-PacketCapture provider Name and Id (GUID), along with the ETW Provider Core Configuration.

  3. In the provider list of the Trace Scenario Configuration pane, click the Configure link next to NDIS-PacketCapture provider Id to display the Microsoft-PEF-NDIS-PacketCapture Advanced Settings dialog.

  4. In the System Network tree grid of the Advanced Settings dialog, ascertain that the In and Out direction check boxes for the Ethernet adapter are selected to ensure capture of both inbound and outbound traffic on the adapter.

  5. In the Fast Filters pane of the Advanced Settings dialog under Group 1, click the drop-down arrow next to the Fast Filter 1 designator to display the filter type menu items, and then select the IPv4Address filter type from the menu.

  6. In the text box to the right of the filter type drop-down, enter an IPv4 address in a format similar to the following:

    192.168.1.1

  7. In the Advanced Settings dialog, highlight the System Network tree grid row that contains the Ethernet adapter and then click the Apply to Highlighted button in Group 1 of the Fast Filters pane to assign the filter Group to the Ethernet adapter.

  8. Click OK in the Advanced Settings dialog to close it.

  9. In the text box of the Trace Filter pane in the Trace Scenario Configuration, enter the following filter expression:

    *Port == IANA.Port.LDAP

  10. In the Trace Scenario Configuration pane, enter the characters “LDAP” in the Add Provider search box to locate the Microsoft-Windows-LDAP-Client provider in the drop-down list, and then click it to add it to your Trace Scenario template configuration.

    The Link Layer Trace Scenario template is now complete and configured to capture LDAP traffic and other events related to the LDAP client, for the specified IP address on the Ethernet adapter. The filters in use will remove a significant portion of lower-layer noise and improve performance.

  11. In the Trace Session text box of the Trace Session configuration interface, you can optionally specify a new session name in the Session name text box, or you can you can keep the default name.

    You can also add a comment in the Comment text box to provide a description that reflects your Local Link Layer Trace Scenario template configuration.

  12. In the Trace Scenario Configuration pane, click the Save Scenario button.

  13. In the Edit Trace Scenario dialog that displays, provide a unique name for the scenario template in the Name text box and a description in the Description text box; choose an existing Category for the scenario template or create a new one; and select the viewer in the Default View drop-down menu or use the default selection.

  14. Click the Save button in the Edit Trace Scenario dialog to save the scenario in the Trace Scenarios Library.

    The Trace Scenario template that you saved should now display as part of the Trace Scenarios Library item collection in the Trace Session configuration interface.

  15. To display your Trace Scenario template configuration at any time, select it in the Trace Scenarios Library.

    The Trace Session configuration interface is then populated with the custom settings that you specified when you created this Trace Scenario template.

  16. After your custom Trace Scenario settings display in the Trace Session configuration interface, start a trace based on the template by clicking the Start With button.

    Note  You can also further modify your Trace Scenario template and save it with new configuration settings, without ever running it.

  17. Run the following command string from the command line to update Group Policy on the local machine:

    gpupdate /force

    The Trace Session begins capturing LDAP traffic on the local machine as the Group Policy update process accesses Active Directory Group Policy Objects (GPOs) containing user and computer policy settings for the client.

  18. Stop the trace at a suitable point by clicking the Stop button in the Session group of the ribbon on the Message Analyzer Home tab.

  19. In the Analysis Grid, right-click the Diagnosis column and select Group from the menu that displays to group any diagnostic messages you might have received, for further analysis.

  20. In the Analysis Grid, review the LDAP messages for any status indications or errors that might reveal issues with LDAP search, request, or response operations during Group Policy update.

Была ли вам полезна эта информация?
(1500 символов осталось)
Спасибо за ваш отзыв
Показ:
© 2014 Microsoft. Все права защищены.