The Cable Guy - April 2010
Network Diagnostics and Tracing in Windows 7
To provide a better user experience when encountering network connectivity issues, Windows Vista includes the Network Diagnostics Framework (NDF), a set of technologies and guidelines that allows a set of troubleshooters to assist users and diagnose and, where possible, automatically correct networking problems. When a user experiences a networking problem, NDF provides the ability to diagnose and repair the problem through diagnostics assessment and resolution steps that are presented to the user. NDF simplifies and automates many of the common troubleshooting steps and solutions for networking-related problems.
NDF in Windows 7 is now integrated with other new features of Windows 7 such as the notification area, the Troubleshooting item in Control Panel, and network tracing using Event Tracing for Windows (ETW). This integration allows easier viewing and collection of the information needed to troubleshoot network problems that cannot be corrected automatically or through user interaction.
Network Troubleshooting from the Network Icon in the Notification Area
You can easily launch network troubleshooting by right-clicking the network icon in the notification area of the Windows 7 desktop, then clicking Troubleshoot problems. Windows Network Diagnostics launches and attempts to detect and correct networking problems.
Network Troubleshooting from Control Panel
Rather than waiting for an error to occur to use the built-in diagnostics, with Windows 7 you can launch a troubleshooting session from the new Troubleshooting item in Control Panel, as shown in Figure 1.
Figure 1: The Troubleshooting item in Control Panel
For example, this computer does not have a connection to the Internet, which is highlighted in the window with an option to Try to connect again.
From the Network and Internet section of this dialog box, you can troubleshoot your connection to the Internet or problems with accessing files and folders on other computers. If you click Network and Internet, Windows displays the dialog box shown in Figure 2.
Figure 2: The Network and Internet troubleshooters
From here, you can launch troubleshooting sessions for Internet connections, shared folders, HomeGroup, network adapters, incoming connections, DirectAccess, and network printing.
Each of these troubleshooting sessions launches a wizard that steps you through the diagnosis and, if possible, automated or manual correction of the problem. If the problem cannot be resolved and you want to either examine or forward the Event Tracing Log (ETL) file that was recorded when you ran the troubleshooter, click View History from the Troubleshooting dialog box.
Figure 3: Example of a troubleshooting history
Each item in the history list represents a separate troubleshooting session. To view the results of a troubleshooting session, double-click it. Figure 4 shows an example.
Figure 4: Example of a troubleshooting report
To view the details of the detection, click the Detection details link. Figure 5 shows an example.
Figure 5: Example of detection details in a troubleshooting report
From the detection details, you can see the name of the ETL file that contains the information recorded during the troubleshooting session. To obtain a copy of this file to send to your internal support staff or Microsoft for analysis, click the file name and then specify a location in the resulting File Download dialog box.
ETL files can be viewed and analyzed with Network Monitor 3.3. You can also view ETL files with Event Viewer, the Tracerpt.exe tool, and by converting them to XML or text files with the netsh trace convert command.
To save the details of the troubleshooting session in a .CAB file, right-click the session in the Troubleshooting History window, and then click Save As. Just like ETL files, the CAB file can be sent to support staff for analysis.
Network Tracing with Netsh.exe
Windows 7 includes a new Netsh.exe context for network tracing; netsh trace. Commands in the netsh trace context allow you to selectively enable tracing for providers and scenarios. A provider represents an individual component in the network protocol stack, such as WinSock, TCP/IP, or Wireless LAN Services. A tracing scenario is a predefined collection of providers for a specific function, such as file sharing or wireless LAN access. You can also apply filters to exclude irrelevant details and reduce the size of the ETL file.
To perform detailed troubleshooting for networking issues, a helpdesk staff person or Microsoft's Customer Service and Support organization typically needs both internal component tracing information and a capture of the network traffic that occurred when duplicating the problem. Prior to Windows 7, this information had to be obtained two different ways; use Netsh.exe commands to enable and disable tracing and a packet sniffer program such as Network Monitor to capture the network traffic. Even with this information, it was difficult to tie these two sources of information together to determine when network traffic was sent relative to the events in the tracing logs.
When you perform network tracing in Windows 7 with commands in the netsh trace context, ETL files can contain both component tracing and network traffic in sequence. The ETL files can be displayed with Network Monitor 3.3, which provides a much more efficient way to analyze and troubleshoot network problems. Figure 6 shows an example of viewing an ETL file in Network Monitor 3.3.
Figure 6: Example of an ETL file with network traffic in Network Monitor 3.3
With this new capability, end users or helpdesk staff do not have to install and use Network Monitor on the computer having the problem to capture network traffic. Note that the ETL files generated for troubleshooting sessions from Control Panel-Troubleshooting by default do not contain network traffic information.
- Note Before Network Monitor 3.3 can fully display the ETL files generated by Windows 7, you must configure full Windows parsers. Network Monitor 3.3 by default uses stub Windows parsers. To configure full Windows parsers, click Tools, click Options, and then click the Parsers tab. In the list of parsers, click Windows, and then click Stubs to disable stub parsers and enable full parsers, and then click OK.
To capture both tracing and network traffic information sequentially for multiple components in the network stack (such as WinSock, DNS, TCP, etc.), Windows uses an activity-ID-based correlation known as grouping to collect and record the tracing and traffic information in the ETL file. Grouping within the ETL file allows you to examine the entire transaction as a single, correlated sequence of events.
When you enable tracing with Netsh.exe, Windows 7 can create two files.
An ETL file contains trace events for Windows components and, if specified, network traffic. By default, the ETL file is named Nettrace.etl and is stored in the %TEMP%\NetTraces folder. You can specify a different name and storage location with the tracefile= parameter. An optional CAB file can contain text, Windows Registry, XML, and other files that store additional troubleshooting information. The CAB file also includes a copy of the ETL file. By default, the CAB file is named Nettrace.cab and is stored in the %TEMP%\NetTraces folder.
You can also use Netsh.exe tracing in conjunction with Control Panel-Troubleshooting. First, enable tracing for the scenario with the appropriate Netsh.exe command. For example, use the netsh trace scenario=internetclient report=yes command. Use Control Panel-Troubleshooting to run the Connect to the Internet troubleshooting session. When complete, run the netsh trace stop command. When you view the history of the troubleshooting session, you can now access the CAB file.
Starting and Stopping a Netsh.exe Trace
To start a network trace with Netsh.exe, first run an elevated Command Prompt. To display the list of trace providers, type netsh trace show providers. To display the list of trace scenarios, type netsh trace show scenarios. To display the list of trace providers within a scenario, type netsh trace show scenario ScenarioName.
You can start a trace for one or multiple providers or scenarios. For example, to start a trace for the InternetClient scenario, type netsh trace start scenario=internetclient. To start tracing for more than one scenario, you can specify all of the appropriate scenarios, such as netsh trace start scenario=FileSharing scenario=DirectAccess.
To create a CAB file with a formatted report, include the report=yes parameter. To specify a name and location for the ETL and CAB files, use the tracefile= parameter. To record network traffic in the ETL file, include the capture=yes parameter.
For example, to start a trace for the WLAN scenario, create a CAB file with a formatted report, capture network traffic, and store the files with the name WLANTest in the C:\Tshoot folder, the netsh command is netsh trace start scenario=WLAN capture=yes report=yes tracefile=c:\tshoot\WLANtest.etl.
To stop tracing, use the netsh trace stop command.
For more information, see Netsh Commands for Network Trace in Windows Server 2008 R2.
For a list of all The Cable Guy articles, click here.