Using Netsh Trace to Manage Traces

Applies To: Windows 7, Windows Server 2008 R2

In Windows® 7, you can use Netsh.exe at the command prompt to enable and configure network traces. This section describes some of the Netsh.exe commands which are used to troubleshoot tracing issues, including the new Netsh trace functionality. Note that the Netsh commands must be run from an elevated command prompt.

Collecting traces

To assist the process of collecting traces, Windows 7, by default, provides several tracing scenarios. Scenarios are predefined sets of trace providers which you can enable for troubleshooting. To display the list of available network-related scenarios, type netsh trace show scenarios.

When you have identified a scenario that is relevant to your issues, you can view a list of all of the providers included in that scenario by typing netsh trace show scenariosScenarioName. For example, to see all of the providers enabled under the InternetClient scenario, type netsh trace show scenario internetclient.

You can start a trace for all of the providers in a given scenario or set of scenarios. For example, to start a trace for all of the providers enabled under the InternetClient scenario, type netsh trace start scenario=internetclient. To capture providers for more than one scenario, you can specify all of the appropriate scenarios, such as netsh trace start scenario=FileSharing scenario=DirectAccess. Only one tracing session may be enabled at a time, and it is not possible to simultaneously capture trace information from different sets of providers into separate files.

You can also start a trace for providers not included in the specified scenario. For example, you might want to start traces for all of the providers enabled under the WLAN scenario and also include the DHCP provider. To do this, type netsh trace start scenario=wlan provider=Microsoft-Windows-Dhcp-Client.

You can also see more details about a specific provider by typing netsh trace show provider followed by the provider name.

To see all of the options and filters available, type netsh trace start /?.

To stop tracing, type netsh trace stop.

Using the output files

By default, when tracing is stopped, two files are generated: an Event Trace Log (ETL) file and a .cab file.

Trace events are collected in the ETL file, which you can view using tools such as Network Monitor. By default, the resulting ETL file is named nettrace.etl. You can specify that the tracing session outputs the ETL file using a different name by including the Netsh trace parameter: tracefile=filename.etl, when starting the trace.

The .cab file contains rich information about the software and hardware on the system such as the adapter information, build, operating system, and wireless settings. By default, the resulting .cab file is named nettrace.cab, unless you specify another name, as indicated above.

The .cab file contains two files which are always named Report.html and Nettrace.etl. Nettrace.etl in the CAB file contains the same information as the ETL file in the same directory as the CAB file. The report.html file includes additional information about the trace events and the other information collected. To receive the most details available, include the command report = yes when starting a trace.

Using filters to reduce the amount of data in the ETL trace file

In certain situations it is advantageous to apply filters to limit the data that is collected and saved in the ETL trace file. For example, tracing sessions that run over a long period of time, can cause the ETL trace file to become quite large. The large ETL trace file size is compounded in scenarios where multiple providers are enabled, resulting in very high traffic. If the amount of trace data becomes too great, the ETW buffer constraints might result in some traces being dropped. Aside from this consideration, reducing the amount of data in the ETL trace file can help make troubleshooting easier by reducing the amount of data to review.

You can use Netsh trace filters to reduce the ETL trace file size. The trace filters are ETW levels and keywords that you can apply to individual providers.

To see a list of filters, type netsh trace start /?

An example of a filter is netsh trace start InternetClient provider=Microsoft-Windows-TCPIP level=5 keywords=ut:ReceivePath,ut:SendPath.In this example, the level is set to 5, which means that the maximum number of events that are shown.

The following table shows the settings available:

The keywords ut:ReceivePath and ut:SentPath filters the events to show only those events traced on the receive or send path. You can find a complete list of keywords for a specific provider by typing netsh trace show provider followed by the provider name. For example, type netsh trace show provider Microsoft-Windows-TCPIP to display information about the Microsoft-Windows-TCPIP provider, including a list of keywords.

Similar to Network Monitor, Netsh trace supports packet filtering capability - when packet capturing is turned on - by setting the Netsh trace parameter capture = yes. You can use packet filtering to capture a limited number of packets in a trace file. For example, netsh trace start capture = yes ipv4.address == x.x.x.x , where x.x.x.x is the IP address, will capture only the IPv4 packets for traffic with the specified source or destination address.

For additional information about how to use packet filtering, you can type netsh trace show capturefilterHelp at the Command Prompt.