Extensible Switch Unified Tracing in Hyper-V 3.0: netsh

Extensible Switch Unified Tracing in Hyper-V 3.0: netsh

While I was building demo/lab for network virtualization, I wanted to see what is going on behind scenes in the virtual switch. One of the features of Hyper-V is unified tracing. Windows 2012 has a new netsh parameters to be able to capture Physical, Virtual machine traffic, and traffic that traverses the Hyper-V virtual switch.

Netsh is a command line utility built in Windows OS.

netsh:

is a command line, built-in tracing utility in Windows (Vista+) with network tracing capability. With Netsh; you do not need to install anything, can provide persistent tracing, circular logging, and a cab file (trace and other network related information), and can be scenario based.

Basic Syntax: netsh trace

start: Starts a trace session

Stop: Stops a trace session

Capture=yes: Turns on raw network capture from NDIS

Provider=ProviderName: Enables tracing for a specific provider

Show Providers: Shows a list of providers

Scenario=ScenarioName: Enables tracing for a specific scenario

Show Scenarios: Shows a list of scenarios

netsh trace show scenarios

Available scenarios (13):
——————————————————————-
AddressAcquisition       : Troubleshoot address acquisition-related issues
AddressAcquisitionServer : Troubleshoot address acquisition server related issues
DirectAccess             : Troubleshoot DirectAccess related issues
FileSharing              : Troubleshoot common file and printer sharing problems
InternetClient           : Diagnose web connectivity issues
InternetServer           : Set of HTTP service counters
L2SEC                    : Troubleshoot layer 2 authentication related issues
LAN                      : Troubleshoot wired LAN related issues
Layer2                   : Troubleshoot layer 2 connectivity related issues
NDIS                     : Troubleshoot network adapter related issues
NetConnection            : Troubleshoot issues with network connections
WFP-IPsec                : Troubleshoot Windows Filtering Platform and IPsec related issues
WLAN                     : Troubleshoot wireless LAN related issues

Providers in Windows 2012:

Enough for netsh : )

Hyper-V Virtual Switch Extensions:

Extensions are Filters or Windows Filtering Platform Providers. There are three types of Extensions.

1. Capture extensions: Inspects traffic and generate new packets, but cannot modify it
2. Filtering Extensions: Inspect, drop, modify, and insert packets (Windows Filter Platform (WFP)) (example, windows firewall)
3. Forwarding extensions: forwards packets, can capture and filter traffic

Hyper-V Virtual Switch Extension Cmdlets:

[ps]
Get-vmSwitch
Get-vmSwitchExtension –vmSwitchName switchName
Enable-vmSwitchExtension –vmSwitchName switchName -Name extensionName
Disable-vmSwitchExtension –vmSwitchName switchName -Name extensionName
[/ps]

Capturing packets and events:

Windows Network Virtualization events:

Netsh trace start provider=Microsoft-windows-wnv level=5

LEVELS:

1 – Critical: Only critical events

2 – Errors: Critical events and errors

3 –Warnings: Critical events, errors, and warnings

4 –Informational: Critical events, errors, warnings, and informational events

5 – Verbose: All events

Virtual switch events and packets:

[ps]
Netsh trace start provider=Microsoft-Windows-Hyper-V-VmSwitch capture=yes capturetype=vmswitch
[/ps]

To capture both Virtual Switch and Network Virtualization Events:

[ps]
Netsh trace start provider=Microsoft-windows-wnv level=5 provider=Microsoft-Windows-Hyper-V-VmSwitch capture=yes capturetype=vmswitch
[/ps]

After reproducing the issue, stop the trace with netsh trace stop command.

Convert the ETL files:

Netsh trace convert file_name

Once the trace is stopped, you will see 1 etl, 1 cab, and if converted, 1 text file in the directory.

cab file includes:

adapterinfo.txt

allcred.reg.txt

allcredfilter.reg.txt

dns.txt

envinfo.txt

filesharing.txt

gpresult.txt

neighbors.txt

netevents.xml

neteventslog.txt

netiostate.txt

networkprofiles.reg.txt

notif.reg.txt

osinfo.txt

report.etl

report.html

sysports.xml

sysportslog.txt

tempfile.txt

wcninfo.txt

wfpfilters.xml

wfplog.log

wfpstate.xml

wfpstatelog.txt

windowsfirewallconfig.txt

windowsfirewallconseclog.evtx

windowsfirewallconseclogverbose.evtx

windowsfirewallconseclogverbose_1033.mta

windowsfirewallconseclog_1033.mta

windowsfirewalleffectiverules.txt

windowsfirewalllog.evtx

windowsfirewalllogverbose.evtx

windowsfirewalllogverbose_1033.mta

windowsfirewalllog_1033.mta

winsockcatalog.txt

Converted txt file:

Trace files can be viewed in netmon. After opening the trace file, go to Tools, options, click on Parser Profiles, and on Windows, right click and choose set as active enable full parsers.

Netmon parsers: http://nmparsers.codeplex.com/

• Author
• Recent Posts

Bulent Tolu

Systems Engineer at Veeam

Bulent is an IT professional with MSc in MIS and close to 20-years of experience in broad range of technologies. He has a passion to continually research, test and evaluate new technologies and follow industry best practices to secure and optimize IT systems and solve IT challenges for enteprises. Currently, he lives in Ankara and works as Systems Engineer at Veeam.

Latest posts by Bulent Tolu (see all)

• VMware Identity Manager – Workspace ONE – Provide Access to Horizon Desktops and Apps & Workspace ONE mode - 17 September 2017
• VMware Identity Manager 2.9.2 – Workspace ONE – Installation in DMZ with Outbound-Only Connection Mode - 17 September 2017
• Deploy Unified Access Gateway (UAG) 3.0 with Horizon - 17 September 2017