The Cable Guy: Network Diagnostics & Tracing in Windows 7
Windows users are an independent lot, for the most part. They typically prefer to identify and correct problems on their own. To help users when they encounter network-connectivity issues, Windows Vista includes the Network Diagnostics Framework (NDF), a set of technologies and guidelines that allows a collection of troubleshooting tools to assist users in diagnosing, and where possible, automatically correcting networking problems.
When a user experiences a networking problem, NDF provides the ability to diagnose and repair it by presenting the person with diagnostic assessments and resolution steps. NDF simplifies and automates many of the common troubleshooting steps and solution implementations for networking troubles.
With Windows 7, Microsoft has now integrated NDF into the OS along with new features such as the notification area, the Troubleshooting item in Control Panel, and network tracing using Event Tracing for Windows (ETW). This lets you more easily view and collect information needed to troubleshoot network difficulties that defy correction either automatically or through user interaction.
Network Troubleshooting from the Network Icon in the Notification Area
You can easily launch network troubleshooting by right-clicking on the network icon in the notification area of the Windows 7 desktop and selecting Troubleshoot problems. Windows Network Diagnostics will launch and attempt to detect and correct what’s wrong.
Network Troubleshooting from Control Panel
With Windows 7, you don’t have to wait for an error to occur to use the built-in diagnostics. You can launch a troubleshooting session anytime from the new Troubleshooting item in Control Panel. When you do, the screen shown in Figure 1 appears. In this case, the tool has found that the computer has no Internet connection. The page displays a boxed message that informs you of the problem and offers a Try to connect again option.
Figure 1 Opening the Troubleshooting item in Control Panel produces this screen.
If you click on the Network and Internet selection, you’ll get the dialog box shown in Figure 2. There you can choose from seven options that start sessions for troubleshooting several types of issues: Internet-connection difficulties, problems accessing files and folders on other computers, and network-printing troubles.
Figure 2 Troubleshooting network and Internet problems.
Choosing any of the seven options launches a wizard that steps you through diagnosis of the problem, and if possible, automated or manual correction. The troubleshooter also records an Event Tracing Log (ETL). If the problem can’t be resolved, you can examine and even forward the log. Just click on View History from the Troubleshooting dialog. Figure 3 shows an example ETL.
Figure 3 An example of troubleshooting history.
Each item in the history list represents a separate troubleshooting session. Double-clicking on a session displays the results for it. Figure 4 shows an example.
Figure 4 Example of a troubleshooting report.
To view the details of the detection, click the Detection details link, and you’ll see a window like the one in Figure 5.
Figure 5 A typical Detection-details screen from a troubleshooting report.
Near the top of the dialog, you’ll see the name of the ETL file that contains the information from the troubleshooting session. If you want to send a copy to support staff or Microsoft for analysis, you can save the file by clicking on its name, which will bring up the File Download dialog.
You can view and analyze ETL files with Network Monitor 3.3. You can also view the files with Event Viewer and the Tracerpt.exe tool as well as by converting them to XML or text files with the netsh trace convert command. You can save the details of the troubleshooting session in a CAB file by right-clicking the session in the Troubleshooting History window and then selecting Save As. Just as with ETL files, you can send the CAB file to support staff for analysis.
Network Tracing with Netsh.exe
Windows 7 includes a new Netsh.exe context, netsh trace, for network tracing. Commands in the netsh trace context allow you to selectively enable tracing for providers and scenarios. A provider represents an individual component in the network protocol stack, such as Winsock, TCP/IP, wireless LAN services, or NDIS. A tracing scenario is a predefined collection of providers for a specific function, such as file sharing or wireless LAN access. To exclude irrelevant details and reduce the size of the ETL file you can apply filters.
Typically, to perform detailed troubleshooting of networking issues, you have to supply your helpdesk staff or Microsoft’s Customer Service and Support organization with both internal component tracing information and a capture of the network traffic at the time of the problem. Prior to Windows 7, you had to carry out two different procedures to obtain this information: Use Netsh.exe commands to enable and disable tracing and a packet-sniffer program, such as Network Monitor to capture the network traffic. And then you faced the difficult task of tying together the information from these two sources to determine when network traffic was sent relative to the events in the tracing logs.
In Windows 7, when you perform network tracing with commands in the netsh trace context, ETL files can contain both network traffic and component tracing in sequence. And you can display the ETL files with Network Monitor 3.3, which provides much more efficient way to analyze and troubleshoot network problems. Figure 6 shows an example of an ETL file being viewed in Network Monitor 3.3.
Figure 6 Using Network Monitor 3.3 to view the network traffic recorded in an ETL file.
With this new capability, capturing network traffic requires neither end users nor helpdesk staff to install and use Network Monitor on the computer having the problem. Note that by default the ETL files generated for troubleshooting sessions from Control Panel | Troubleshooting do not contain network traffic information.
To capture both tracing and network traffic information sequentially for multiple components in the network stack (such as Winsock, DNS, TCP, NDIS, WFP and so forth), Windows uses an activity-ID-based correlation known as grouping to collect and record the tracing and traffic information in the ETL file. Grouping within the ETL file allows you to examine the entire transaction as a single, correlated sequence of events.
For more information about the Netsh.exe commands for a tracing session, see the “Starting and Stopping a Netsh.exe Trace” sidebar.
When you enable tracing with Netsh.exe, Windows 7 can create two files. An ETL file contains trace events for Windows components, and if specified, network traffic. By default, the ETL file is named Nettrace.etl and stored in the %TEMP%\NetTraces folder. You can specify a different name and storage location with the tracefile= parameter. An optional CAB file can contain several types of files including text, Windows Registry, XML and others that store additional troubleshooting information. The CAB file also includes a copy of the ETL file. By default, the CAB file is named Nettrace.cab and stored in the %TEMP%\NetTraces folder.
You can also use Netsh.exe tracing in conjunction with Control Panel | Troubleshooting. First, use the appropriate Netsh.exe command to enable tracing for the scenario. For example, use the netsh trace scenario=internetclient report=yes command. Use Control Panel | Troubleshooting to run the Connect to the Internet troubleshooting session. When complete, run the netsh trace stop command. Now, when you view the history of the troubleshooting session, you’ll be able to access the CAB file.
Sidebar: Starting and Stopping a Netsh.exe Trace
To start a network trace with Netsh.exe, first run an elevated command prompt. To display the list of trace providers, type netsh trace show providers. To produce the list of trace scenarios, type netsh trace show scenarios. To show the list of trace providers within a scenario, type netsh trace show scenario ScenarioName.
You can start a trace for one or multiple providers or scenarios. For example, to do so for the InternetClient scenario, type netsh trace start scenario=internetclient. To start tracing for more than one scenario, you can specify all of the appropriate scenarios, such as netsh trace start scenario=FileSharing scenario=DirectAccess.
You can create a CAB file with a formatted report by including the report=yes parameter. Use tracefile=parameter to specify a name and location for the ETL and CAB files. If you want to record network traffic in the ETL file, include the capture=yes parameter.
For example, here’s the command that will start a trace for the WLAN scenario, create a CAB file with a formatted report, capture network traffic, and store the files with the name WLANTest in the C:\Tshoot folder: netsh trace start scenario=WLAN capture=yes report=yes tracefile=c:\tshoot\WLANtest.etl.
To stop tracing, use the netsh trace stop command.
For more information, see Netsh Commands for Network Trace in Windows Server 2008 R2.
Sidebar: Using Network Monitor 3.3 to View ETL Files
Before Network Monitor 3.3 can fully display the ETL files generated by Windows 7, you must configure full Windows parsers. By default, Network Monitor 3.3 uses stub Windows parsers. To configure full Windows parsers, click Tools | Options | Parsers. In the list of parsers, click Windows | Stubs to disable stub parsers and enable full parsers, then click OK.
Joseph Davies is a principal technical writer on the Windows networking writing team at Microsoft. He is the author and coauthor of a number of books published by Microsoft Press, including “Windows Server 2008 Networking and Network Access Protection (NAP),” “Understanding IPv6, Second Edition” and “Windows Server 2008 TCP/IP Protocols and Services.”