Filtering Live Trace Data
Prior to starting a live Message Analyzer Trace Session, there are numerous types of filter configurations you can create to limit the scope of data that you capture, as described in this section. One of the simplest and most popular methods of filtering is to add a Trace Filter. A Trace Filter will allow you to retrieve only the messages that meet the filtering criteria that you define. This conveniently provides a way to target specific message data while reducing the number of retrieved messages for better performance. You can either select a predefined Trace Filter or configure your own from the Message Analyzer Trace Session configuration interface. If you want to use a predefined Trace Filter, you can select one from the Trace Filter Library, or you can create your own by entering filter parameters in the text box of the Trace Filter pane during Trace Session configuration.
In addition to specifying a Trace Filter when you are configuring a Trace Session, you can also specify other types of filters, as follows:
Fast Filters — if you are configuring a Trace Session that uses a Local Link Layer Trace Scenario with the Microsoft-PEF-NDIS-PacketCapture provider, you have the option of specifying up to three Fast Filters that operate efficiently at the kernel level. You can also specify up to four Fast Filters when configuring a Trace Session that uses the Firewall Trace Scenario with the Microsoft-PEF-WFP-MessageProvider.
A Fast Filter is a capture-mode filter that offers a significant improvement in performance over user-mode filtering, for example, when applying a Trace Filter. In the former case, capture-mode filtering is instrumented at the driver level before messages are delivered to the PEF Runtime, while in the latter case, user-mode filtering is applied as part of the Runtime parsing process. User-mode filtering therefore adds more processing time before Message Analyzer can access the data from the PEF Runtime API.
Network Adapters and Fast Filter Groups — if you are configuring a Trace Session that uses a Local Link Layer Trace Scenario with the Microsoft-PEF-NDIS-PacketCapture provider, you can specify the network adapters through which your Trace Session will capture messages. For example, you can isolate messages to an Ethernet adapter, a wireless adapter, a combination of adapters, and so on. In addition, you can assign Groups of Fast Filters to any local adapter.
When you install Message Analyzer, all the network adapters on your system are enumerated. When you open the Microsoft-PEF-NDIS-PacketCapture Advanced Settings dialog in a Local Link Layer scenario, all the network adapters on your system are populated to the System Network tree grid under the Machine node in the Advanced Settings dialog. This dialog contains the configuration features that enable you to create filter Groups and assign them to specific adapters. In addition, you can selectively enable or disable any network adapter that appears in the System Network tree grid of the dialog. By isolating the network adapter on which you capture data, you can block messages from other adapters and focus on capturing the messages of a particular protocol, for example, the Point-to-Point over Ethernet (PpoE) protocol on a WAN Miniport interface connection. In addition you can create filtering configurations that apply to all adapters, a group of selected adapters, or a single selected adapter only. The features of the Microsoft-PEF-NDIS-PacketCapture Advanced Settings dialog provide a flexible framework that enables you to focus on capturing very specific data while achieving the performance advantages that are inherent to Fast Filters, as described in Using the PEF-NDIS Provider Advanced Settings Dialog.
NDIS Layer and Hyper-V-Switch Extension Filtering — if you are configuring a Remote Link Layer Trace Scenario, which uses the Micrsoft-Windows-NDIS-PacketCapture provider with remote capabilities, you can specify how packets are intercepted on the NDIS filter layers of a remote host adapter or on the extension layers of a Hyper-V-Switch that services virtual machines (VMs) on which you are monitoring traffic. You can also specify the direction that packets traverse these layers along with other special filter configurations that specify a Truncation value, EtherTypes, IP Protocol Numbers, MAC addresses, and IP addresses. You can also specify particular remote host or VM adapters on which to capture data while excluding others. The configuration for such settings is available in the Microsoft-Windows-NDIS-PacketCapture Advanced Settings dialog, which is described in detail in Using the Windows NDIS Provider Advanced Settings Dialog.
WFP Layer Set filters — if you are configuring a Trace Session that uses the Firewall Trace Scenario with the Microsoft-PEF-WFP-MessageProvider, you can specify filters that isolate IPv4 or IPv6 message traffic directionally at the Transport layer. The WFP Layer Set consists of kernel-mode TCP/IP stack filters that operate in the receive or send path at the Transport layer. These filters allow you to selectively enable or disable either all inbound or all outbound packets at the Transport layer when capturing IPv4 or IPv6 messages.
HTTP filters — if you are configuring a Trace Session that uses the Web Proxy Trace Scenario with the Microsoft-Pef-WebProxy provider, you can specify filters that isolate traffic based on a Hostname or PortFilter value.
Keyword and Level filters — if you are configuring a Trace Session that uses a particular system ETW Provider, you can set Keyword and Level filters to capture events from specific modules of a Windows system component that has been instrumented for ETW via that ETW Provider, with Keyword bitmask values and Level strings that represent its events. By setting an appropriate Keyword bitmask or Level value, you cause the ETW Provider to deliver only the events that are represented by the Keyword or Level configuration, thereby enabling you to filter for these events in traces that use the system ETW Provider. Examples of such providers include the Microsoft-Windows-Dhcp-Client or Microsoft-Windows-LDAP-Client that are accessible from the searchable system Add Provider library.
Note Not all system ETW Providers are enabled for Keyword and Level configuration.
To learn more about the functions of predefined Filter Expressions that you can apply as a Trace Filter, see Filtering Trace Results.
To learn more about creating your own Filter Expressions or modifying existing ones, see Writing Filter Expressions.
To learn more about the Fast Filter configurations that you can apply to PEF providers, see Common Provider Configuration Settings Summary.
To learn more about Network Adapter filtering, see Common Provider Configuration Settings Summary.
To learn more about configuring filter Groups and assigning them to adapters in Local Link Layer scenarios, see Using the PEF-NDIS Provider Advanced Settings Dialog.
To learn more about remote tracing, see Capturing Data Remotely.
To learn more about WFP Layer Set filtering, see Common Provider Configuration Settings Summary.
To learn more about Hostname and PortFilter filtering, see WebProxy Filters.
To learn more about Keyword and Level filtering, see System ETW Provider Configuration Settings.