If you have ever needed to troubleshoot network client connectivity problems, you know that trying to uncover the source of those problems can be quite difficult. Even very small office and home office (SOHO) networks have numerous components that must all function for clients to connect to the Web or to network resources. You might know of instances when a sibling’s, parent’s, or friend’s network had problems that you could have solved, if you had been there. Many experienced power-users can diagnose common issues with stand-alone tools like ping, ipconfig, nslookup, but most end users do not know how to use these tools; walking the average user through these types of troubleshooting steps over the phone can be nearly impossible.
And the more complex a network is the more potential problem points that will exist.
In an effort to improve troubleshooting of network connectivity problems, Microsoft introduced the Network Diagnostics Framework (NDF) in Windows Vista. NDF provides a way for end users, as well as component and application developers, to simplify network troubleshooting by automating many of the common troubleshooting steps and solutions.
Windows 7 Network Tracing and NDF
In Windows 7, we have improved the user experience and enhanced the scope of diagnostics based on customer feedback. If a support call is needed, assisting users must be simplified and efficient.
The goals of NDF and the improved network tracing in Windows 7 are to:
· Help users to get and stay connected.
· Reduce support costs for the entire Windows PC ecosystem.
· Make assisting users as easy and efficient has possible.
The main objective for NDF is to avoid support calls by providing users with automated resolutions to connectivity problems, or actionable steps to resolution when an automated fix is not possible. For example, detection of an unplugged Ethernet cable renders a message, instructing the user to plug in the cable.
Windows 7 extends the Network Diagnostic Framework (NDF) by using Event Tracing for Windows (ETW) to log network events and packets in a single file. By collecting all of the needed information in one step, NDF now provides a more efficient method of troubleshooting network connectivity issues. When a user runs Windows Network Diagnostics, a diagnostics session log is automatically created and stored in the Action Center troubleshooting history (Start/Control Panel/System and Security/Action Center/Troubleshooting/View History). Each incident contains a report with diagnostics results, along with the Event Trace Log (ETL) file. The ETL file typically contains events from diagnostics, and some event data from networking components. The CAB file containing the report can be easily viewed or exported from the Action Center control panel UI.
In Windows 7 NDF and tracing, events related to a specific issue are categorized using activity-ID-based correlation (known as “grouping”), and then output in the ETL file. Grouping captures all issue-related events across the stack; from WinSock, to TCP, to NDIS, and all things in-between, all related events are grouped together. For example, if you are running a tracing session and you attempt to browse to http://www.microsoft.com and the browse fails, then all of the events related to that activity (WinSock, DNS, TCP, NDIS, WFP, etc.), are captured and grouped together. The benefit is that you can then examine the entire transaction throughout the stack as a single collection of events.
After you have captured tracing details in the ETL file, you can analyze the data by using a number of tools, such as Network Monitor 3.3, Event Viewer, Netsh trace convert, or Tracerpt.exe.
Windows 7 also includes a new Netsh context, Netsh trace, which enables you to perform comprehensive tracing, along with network packet capturing. Two key concepts related to Netsh trace are “scenarios” and “providers.”
· A tracing scenario is defined as a collection of selected event providers.
· Providers are the individual components in the network protocol stack, such as WinSock, TCP/IP, Windows Filtering Platform and Firewall, Wireless LAN Services, or NDIS.
You can use the Netsh trace start optional parameter [[scenario=]ScenarioName] to enable pre-defined scenarios for troubleshooting specific issues, and to configure granular tracing parameters for a tracing session. Scenarios include, but are not limited to the following:
· DirectAccess related issues.
· Common file and printer sharing problems.
· Web connectivity issues.
· Layer 2 authentication issues.
· Network adapter related issues.
· Issues with network connections.
· Issues related to Remote Procedure Call (RPC) framework.
· Wireless or Wired LAN related issues.
For any given scenario, you can view the list of associated providers that will report events when you run a trace session. You can specify additional providers that are not included in an enabled scenario by including the parameter [provider=[ProviderNameOrGuid]]. Additionally, because it is frequently beneficial to target tracing results by limiting irrelevant tracing details, you can apply a variety of Netsh trace filters to reduce the ETL trace file size.
Finally, an additional benefit of NDF and Network Tracing in Windows 7 is that you can use netsh trace to collect both packet captures and trace events on the client, without the need to ask the customer install to Netmon on the PC that your are troubleshooting. The packets are also correlated and grouped with related trace events. Netmon is only needed on the computer that you are using to examine the packets. Therefore, the user need only email the file that is collected in Action Center, or provide it on some type of removable media, such as a CD or Flash Drive.
For detailed information about using NDF, Netsh Trace and Netmon to diagnose connectivity issues, see Network Diagnostics Framework in the Networking Developer Platform center Library.
The complete Netsh Commands for Trace command line reference is available on the Web.
The Windows Server Networking Documentation Team