Capturing Firewall and IPsec Events with Netsh WFP

  • Article

Applies To: Windows 7, Windows Server 2008 R2

Windows 7 and Windows Server 2008 R2 introduce the new netsh wfp context that enables you to capture diagnostic trace sessions of the behavior of the Windows Filtering Platform which is the base engine that implements your firewall and connection security rules. Starting a capture session, reproducing the problem, and then stopping the capture results in a log that can help you or Microsoft Customer Support Services (CSS) troubleshoot connectivity problems on your computers.

To capture a Netsh WFP diagnostics session

  1. Open a command prompt with Administrator permissions.

  2. At the command prompt, change the current folder to your desktop by running the command: cd %userprofile%\desktop

  3. To start the capture, run the command netsh wfp capture start.

  4. Reproduce the networking problem whose cause you are trying to diagnose.

  5. To complete the capture, run the command netsh wfp capture stop. The output file is stored in the current folder.

To view the WFP diagnostic data

  1. In Explorer, double-click the .cab file that you created in the previous procedure.

  2. The .cab file contains an .xml file and an .etl file. The .etl file is a binary file that is intended for use by CSS. The .xml file can be loaded and read locally. Because of the size of the .xml files produced by this process we recommend that you acquire an XML Reader program, instead of using a Web browser or Notepad to open the file. Several good ones are available for free download on the Web.

  3. Drag the wfpdiag.xml file from the .cab file to the desktop.

  4. Open the file with your XML reader of choice and examine the contents. Note the main sections:

    • sysInfo – This section contains information about the computer on which the trace was captured.

    • initialState – This section contains information about the state of the WFP and the currently configured rules before the problem was reproduced.

    • Events – This section contains information about things that occurred while the capture session was running.

    • finalState – This section contains the same information as initialState, but was captured when you ran the wfp capture stop command. You can directly compare the two sections to look for differences that might relate to the connection problem you are trying to diagnose.

Similarly, you can use the netsh trace and netsh trace stop commands to capture a variety of diagnostic information customized to a selected scenario, such as wfp-ipsec.

To capture a Netsh Trace diagnostics section

  1. At an Administrator: Command Prompt, run the command netsh trace start scenario=wfp-ipsec tracefile=%userprofile%\desktop\SampleTrace.cab

    Substitute a path a filename appropriate to your environment.

  2. The output of the command shows you that the trace is running, the file to which the data is written, and details of other possible parameters.

  3. Reproduce the problem whose cause you are trying to diagnose.

  4. run the command netsh trace stop.

    The computer takes a few moments to compile the collected trace data into a .cab file at your specified location.

  5. Open Windows Explorer, browse to the folder you specified, and double-click the .cab file, and examine its contents. A variety of text files, .xml files, event log files, and other types are included.