Extensible Switch Unified Tracing in Hyper-V 3.0: netsh
While I was building demo/lab for network virtualization, I wanted to see what is going on behind scenes in the virtual switch. One of the features of Hyper-V is unified tracing. Windows 2012 has a new netsh parameters to be able to capture Physical, Virtual machine traffic, and traffic that traverses the Hyper-V virtual switch.
Netsh is a command line utility built in Windows OS.
netsh:
is a command line, built-in tracing utility in Windows (Vista+) with network tracing capability. With Netsh; you do not need to install anything, can provide persistent tracing, circular logging, and a cab file (trace and other network related information), and can be scenario based.
Basic Syntax: netsh trace
start: Starts a trace session
Stop: Stops a trace session
Capture=yes: Turns on raw network capture from NDIS
Provider=ProviderName: Enables tracing for a specific provider
Show Providers: Shows a list of providers
Scenario=ScenarioName: Enables tracing for a specific scenario
Show Scenarios: Shows a list of scenarios
netsh trace show scenarios
Available scenarios (13):
——————————————————————-
AddressAcquisition : Troubleshoot address acquisition-related issues
AddressAcquisitionServer : Troubleshoot address acquisition server related issues
DirectAccess : Troubleshoot DirectAccess related issues
FileSharing : Troubleshoot common file and printer sharing problems
InternetClient : Diagnose web connectivity issues
InternetServer : Set of HTTP service counters
L2SEC : Troubleshoot layer 2 authentication related issues
LAN : Troubleshoot wired LAN related issues
Layer2 : Troubleshoot layer 2 connectivity related issues
NDIS : Troubleshoot network adapter related issues
NetConnection : Troubleshoot issues with network connections
WFP-IPsec : Troubleshoot Windows Filtering Platform and IPsec related issues
WLAN : Troubleshoot wireless LAN related issues
Providers in Windows 2012:
Enough for netsh : )
Hyper-V Virtual Switch Extensions:
Extensions are Filters or Windows Filtering Platform Providers. There are three types of Extensions.
- Capture extensions: Inspects traffic and generate new packets, but cannot modify it
- Filtering Extensions: Inspect, drop, modify, and insert packets (Windows Filter Platform (WFP)) (example, windows firewall)
- Forwarding extensions: forwards packets, can capture and filter traffic
Hyper-V Virtual Switch Extension Cmdlets:
[ps]
Get-vmSwitch
Get-vmSwitchExtension –vmSwitchName switchName
Enable-vmSwitchExtension –vmSwitchName switchName -Name extensionName
Disable-vmSwitchExtension –vmSwitchName switchName -Name extensionName
[/ps]
Capturing packets and events:
Windows Network Virtualization events:
Netsh trace start provider=Microsoft-windows-wnv level=5
LEVELS:
1 – Critical: Only critical events
2 – Errors: Critical events and errors
3 –Warnings: Critical events, errors, and warnings
4 –Informational: Critical events, errors, warnings, and informational events
5 – Verbose: All events
Virtual switch events and packets:
[ps]
Netsh trace start provider=Microsoft-Windows-Hyper-V-VmSwitch capture=yes capturetype=vmswitch
[/ps]
To capture both Virtual Switch and Network Virtualization Events:
[ps]
Netsh trace start provider=Microsoft-windows-wnv level=5 provider=Microsoft-Windows-Hyper-V-VmSwitch capture=yes capturetype=vmswitch
[/ps]
After reproducing the issue, stop the trace with netsh trace stop command.
Convert the ETL files:
Netsh trace convert file_name
Once the trace is stopped, you will see 1 etl, 1 cab, and if converted, 1 text file in the directory.
cab file includes:
adapterinfo.txt
allcred.reg.txt
allcredfilter.reg.txt
dns.txt
envinfo.txt
filesharing.txt
gpresult.txt
neighbors.txt
netevents.xml
neteventslog.txt
netiostate.txt
networkprofiles.reg.txt
notif.reg.txt
osinfo.txt
report.etl
report.html
sysports.xml
sysportslog.txt
tempfile.txt
wcninfo.txt
wfpfilters.xml
wfplog.log
wfpstate.xml
wfpstatelog.txt
windowsfirewallconfig.txt
windowsfirewallconseclog.evtx
windowsfirewallconseclogverbose.evtx
windowsfirewallconseclogverbose_1033.mta
windowsfirewallconseclog_1033.mta
windowsfirewalleffectiverules.txt
windowsfirewalllog.evtx
windowsfirewalllogverbose.evtx
windowsfirewalllogverbose_1033.mta
windowsfirewalllog_1033.mta
winsockcatalog.txt
Converted txt file:
Trace files can be viewed in netmon. After opening the trace file, go to Tools, options, click on Parser Profiles, and on Windows, right click and choose set as active enable full parsers.
Netmon parsers: http://nmparsers.codeplex.com/
- Veeam Surebackup – PART 3: Surebackup Görevi - 26 September 2020
- Veeam Surebackup – PART 2: Application Group - 26 September 2020
- Veeam SureBackup – PART 1: Virtual LAB - 22 September 2020
Response to "Extensible Switch Unified Tracing in Hyper-V 3.0: netsh"