Network Diagnostics and Tracing

Published: October 7, 2009

Updated: November 18, 2009

Applies To: Windows Server 2008 R2

Windows 7 and Windows Server 2008 R2 include extensive network diagnostics and tracing facilities that are designed for gathering troubleshooting information on the DirectAccess client when attempting to connect to the DirectAccess server.

This topic describes the following:

To access Windows Network Diagnostics, right-click the network connection icon in the notification area, and then click Troubleshoot problems. Windows Network Diagnostics has extensive support for DirectAccess connections and in many cases provides you with information about the root cause of the problem.

Use Windows Network Diagnostics as your first troubleshooting tool on the DirectAccess client.

To focus troubleshooting on DirectAccess and collect additional information, you can use the Connection to a Workplace Using DirectAccess troubleshooter in the Troubleshooting item of Control Panel.

  1. Click Start, and then click Control Panel.

  2. In System and Security, click Find and fix problems.

  3. Click Network and Internet, and then click Connection to a Workplace Using DirectAccess.

For this troubleshooting tool to work correctly, you must configure the Computer Configuration/Policies/Administrative Templates/Network/Network Connectivity Status Indicator/Corporate Website Probe URL Group Policy setting in the Group Policy object for DirectAccess clients. For more information, see Design Your Intranet for Corporate Connectivity Detection.

Windows 7 and Windows Server 2008 R2 include netsh trace, a new Netsh.exe context for network tracing. Commands in the netsh trace context allow you to selectively enable tracing for providers and scenarios. A provider represents an individual component in the network protocol stack, such as Windows Sockets (WinSock), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Local Area Network (LAN) Services, or Network Device Interface Specification (NDIS). A tracing scenario is a collection of providers for a specific function, such as file sharing or wireless LAN access. You can also apply filters to exclude irrelevant details and reduce the size of the resulting Event Tracing Log (ETL) file.

To perform detailed troubleshooting for networking issues, a helpdesk staff person or Microsoft’s Customer Service and Support organization typically needs both internal component tracing information and a capture of the network traffic that occurred when duplicating the problem. Prior to Windows 7, this information had to be obtained two different ways; use Netsh.exe commands to enable and disable tracing and a packet sniffer program such as Network Monitor to capture the network traffic. Even with this information, it was difficult to tie these two sources of information together to determine when network traffic was sent relative to the events in the tracing logs.

When you perform network tracing in Windows 7 with commands in the netsh trace context, ETL files can contain both network traffic and component tracing information in sequence. The ETL files can be displayed with the latest version of Microsoft Network Monitor (, which provides much more efficient way to analyze and troubleshoot network problems.

  1. Open an administrator-level command prompt.

  2. In the command prompt window, type the netsh trace start scenario=directaccess capture=yes report=yes command.

  3. Reproduce the problem that you are having with DirectAccess.

  4. In the command prompt window, type the netsh trace stop command.

Netsh.exe writes tracing information to the NetTrace.etl file in the %TEMP%\NetTraces folder. To see the contents of this file, open it with Network Monitor 3.3 or later.

Netsh.exe also writes additional environment and troubleshooting information to the file in the %TEMP%\NetTraces folder.

Windows Firewall tracing provides detailed component interaction information for the Windows Filtering Platform (WFP). WFP is a set of application programming interface (API) and system services that provide a platform for network traffic filtering applications. The WFP API allows developers to interact with the packet processing that takes place at several layers in the Windows networking stack. Network data can be filtered and modified before it reaches its destination. Windows Firewall with Advanced Security uses WFP for firewall filtering and connection security. You can use Windows Firewall tracing to capture and analyze Internet Protocol security (IPsec) security negotiation.

  1. Open an administrator-level command prompt.

  2. In the command prompt window, type the netsh wfp capture start cab=off command.

  3. Reproduce the problem that you are having with DirectAccess.

  4. In the command prompt window, type the netsh wfp capture stop command.

Netsh.exe writes tracing information to the Wfpdiag.xml file in the current folder, which you can review for information about connection security issues.

Community Additions