PEF-WFP Layer Set Filters
Updated: May 20, 2016
When configuring settings for the Microsoft-PEF-WFP-MessageProvider in Trace Scenarios that use it, you can create a WFP Layer Set filter configuration that enables you to directionally isolate inbound or outbound TCP packets at the Transport layer for IPv4 or IPv6 traffic. You can access the configuration for the WFP Layer Set filters on the Provider tab of the Advanced Settings – Microsoft-PEF-WFP-MessageProvider dialog, which is accessible by clicking the Configure link to the right of the Microsoft-PEF-WFP-MessageProvider Id in the ETW Providers list on the Live Trace tab of the New Session dialog, which is accessible from the Message Analyzer File menu or Start Page. The WFP Layer Set contains the following filters, which you can enable or disable, respectively, by selecting or unselecting filter check boxes as appropriate:
These filters are kernel mode TCP/IP stack filters that operate in the receive or send path (inbound or outbound, respectively) at the Transport layer before any processing occurs at that layer. When set, these filters selectively enable or disable the capture of all inbound, outbound, or bidirectional packet traffic at the Transport layer.
If you are capturing loopback (local application) traffic, you should disable either inbound or outbound traffic with WFP Layer Set filters in the Advanced Settings – Microsoft-PEF-WFP-MessageProvider dialog, as the default configuration of the Local Loopback Network Trace Scenario does; otherwise, you will get duplicate messages. However, for regular network traffic, you should always enable both inbound and outbound packet directions.
To learn more about configuring WFP Layer Set filters for the Microsoft-PEF-WFP-MessageProvider, see the Common Provider Configuration Settings Summary.