-
Notifications
You must be signed in to change notification settings - Fork 55
Collect a Network Trace
The main tools we will be discussing are NETMON and NETSH, though WireShark is a good alternative and is also available on Linux systems. Your company may have a preferred capture tool already approved or in-place and it would be best to use that.
Depending on the scenario you want, different tools may offer some advantages over other tools.
Easily Reproducible Issue: If the issue is reliably reproducible, testing using WireShark or NETMON using the GUI is relatively simple method for performing the capture.
Long-Running Capture: Use NMCAP or WireShark with chain files. You can also use a circular capture, but have to terminate the capture quickly to prevent relevant data from being overwritten. Chain files are preferred. You may have to monitor how much disk space they take up and delete older files if your system is low on storage. WireShark can limit the number of chain files, NMCAP does not.
Cannot Install On the Server: NMCAP is installed on every version of Window since 2008 R2. You can capture a trace without having to install another tool.
Winsock Details: By using SCENARIO=NETCONNECTION, NETSH will also log WinSock and other low-level TCP events to the capture file.
Linux or MAC Systems: You can use WireShark on these systems or any other capture tool that is compatible with the PCAP format or other format that WireShark can open.
Note: Chain files are additional files generated once the capture has recorded a predetermined amount of data. Instead of having 6GB in a single file, which most tools won't open, you could have 12 x 500MB or 30 x 200MB capture files. SQL Network Analyzer can analyze all the chain trace files at once as if they were a single larger file. The report will tell you which file the issue is in, and the smaller files open and filter a lot more quickly than the larger files.
Note: To read NETSH files, you need to use NETMON.