-
Notifications
You must be signed in to change notification settings - Fork 55
Collect a Network Trace
The main tools we will be discussing are NETMON and NETSH, though WireShark is a good alternative and is also available on Linux systems. Your company may have a preferred capture tool already approved or in-place and it would be best to use that.
Depending on the scenario you want, different tools may offer some advantages over other tools.
| Scenario | Recommendation |
|---|---|
| Easily Reproducible Issue | If the issue is reliably reproducible, testing using WireShark or NETMON using the GUI is a relatively simple method for performing the capture. |
| Long-Running Capture | Use NMCAP or WireShark with chain files. You can also use a circular capture, but have to terminate the capture quickly to prevent relevant data from being overwritten. Chain files are preferred. You may have to monitor how much disk space they take up and delete older files if your system is low on storage. WireShark can limit the number of chain files, NMCAP does not. |
| Cannot Install On the Server | NMCAP is installed on every version of Window since 2008 R2. You can capture a trace without having to install another tool. |
| Winsock Details | By using SCENARIO=NETCONNECTION, NETSH will also log WinSock and other low-level TCP events to the capture file. |
| Linux or MAC Systems | You can use WireShark on these systems or any other capture tool that is compatible with the PCAP format or other format that WireShark can open. |
Note: Chain files are additional files generated once the capture has recorded a predetermined amount of data. Instead of having 6GB in a single file, which most tools won't open, you could have 12 x 500MB or 30 x 200MB capture files. SQL Network Analyzer can analyze all the chained trace files at once as if they were a single larger file. The report will tell you which file the issue is in, and the smaller files open and filter a lot more quickly than the larger files.
Note: To read NETSH files, you need to use NETMON.
Note: Do not capture to the SQL Server data disk. Do not capture to a network share. If possible, avoid capturing to the C: drive as it could impact paging performance, etc.
Note: You must run the application or command prompt "As Administrator" in order to perform a packet capture. To analyze a captured file, you can run as an ordinary user.
| Tool | Download Location |
|---|---|
| NETMON |
http://www.microsoft.com/en-us/download/details.aspx?id=4865 Perform a complete install. |
| WireShark | www.wireshark.org |
| NETSH | Built into Windows 7 and Windows 2008 R2 and later. |
Note: NETSH must be run from the Admin command prompt.
Note: NETSH does not allow for chained captures.
Note: Unless explicitly specified, the trace file ends up in %LocalAppData%\temp\NetTraces\NetTrace.etl
Note: Using the SCENARIO=NETCONNECTION command-line option results in a CAB file with the ETL trace file in it, plus some other files containing the basic network configuration of the machine.
| Description | Command |
|---|---|
| Stops the capture | NETSH TRACE STOP |
| Shows if a trace is running | SETSH SHOW STATUS |
| Basic capture, unlimited growth | NETSH TRACE START CAPTURE=YES MAXSIZE=0 |
| Capture with socket events | NETSH TRACE START SCENARIO=NETCONNECTION CAPTURE=YES TRACEFILE=c:\temp%computername%.etl |
NETSH TRACE STOP
Stops the capture. Some post processing must be performed and may take a minute or two, so do not close the window until the command prompt appears again.
NETSH SHOW STATUS
Displays whether a capture is running or not.
NETSH TRACE START CAPTURE=YES MAXSIZE=0
Basic capture with unlimited growth. The CAPTURE=YES argument must be specified for packet capture to occur.
NETSH TRACE START SCENARIO=NETCONNECTION CAPTURE=YES TRACEFILE=c:\temp%computername%.etl
Capture with socket events and explicitly specifies a location for the capture file.
NETSH TRACE START SCENARIO=NETCONNECTION CAPTURE=YES TRACEFILE=c:\temp%computername%.etl FILEMODE=CIRCULAR MAXSIZE=2048 PACKETTRUNCATEBYTES=250
Capture with socket events, circular capture, max file size of 2GB. Truncating the data portion of packets that is generally not required to allow the file to hold more frames. NETSH has a larger header than other capture formats, so do not truncate much below the amount suggested.
NETSH TRACE START CAPTURE=YES IPv4.Address=10.10.10.10 Protocol=!DNS MAXSIZE=0
Using a filter to limit what packets are recorded. Note the use of '=' instead of '==' in the filter. For more help on filtering options: NETSH TRACE SHOW CAPTUREFILTERHELP
Note: NMCAP gets installed with NETMON.
Note: NMCAP must be run from an Admin command prompt.
CTRL+C
Terminates the trace. Do not close the window until the command-prompt reappears. Doing so will prevent the frame table from being written and the file will contain no identifiable frame data. If you capture a chained trace and the last file is bad, closing the window too soon is usually the cause.
NMCAP /network * /capture /file c:\data%computername%.cap /captureprocesses
Starts a basic non-chained capture to a named file and records the process information along with the trace data.
NMCAP /network * /capture /file c:\data%computername%.chn:100M
Starts a basic chained capture (note CHN file extension in the command) with multiple files of 100MB each.
MCAP /network * /capture /file c:\data%computername%.chn:100M /maxframelength 180
Starts a capture and truncates the frames to reduce the amount of storage required.
NMCAP /network * /capture /file c:\data%computername%.chn:100M /maxframelength 180 /stopwhen /timeafter 240 min
Auto-stop after 4 hours.
NMCAP /network * /capture /file c:\data%computername%.chn:100M /maxframelength 180 /stopwhen /time 3:00:00 PM 9/10/2020
Auto-stop at a stated time and date.
NMCAP /network * /startwhen /time 3:00:00 AM 9/10/2016 /capture /file c:\data%computername%.chn:100M /stopwhen /timeafter 120Min
Auto-start at 3 AM and stop 2 hours later.
NMCAP /network * /capture (!ARP AND !ICMP AND !NBTNS AND !BROWSER) /file NoNoise.cap
Filter out packets we may not want to ignore.
NMCAP /network * /capture contains(.Property.Description, "Continuation") /File TCPContinuations.cap
Filter on words in the frame description.
NMCAP /network * /startwhen /frame tcp.flags.syn==true and ipv4.address=10.10.10.10 /capture /file c:\data%computername%.chn:100M /stopwhen /frame (tcp.flags.fin==true or tcp.flags.reset==true) and ipv4.address==10.10.10.10
Start and stop the capture on a filter condition.
Note: In Auto-start scenarios, NMCAP will begin capturing immediately, but will throw away packets until the capture start condition is met.
NMCAP can also be used to process existing files, such as joining several captures into one file or splitting a large file into several smaller files.
NMCAP /inputcapture mytrace.cap /capture ipv4.address==10.10.10.10 AND tcp.port==1433 /file filteredoutput.cap
Extract a single conversation from a larger file.
NMCAP /inputcapture mytrace.cap mytrace(1).cap mytrace(2).cap /capture ipv4.address==10.10.10.10 AND tcp.port==1433 /file filteredoutput.cap
Extract a single conversation spread over several chained files into a single file. Unfortunately, wildcards are not supported by the inputcapture switch.
NMCAP /inputcapture mybigtrace.cap /capture /file mysmallfiles.chn:100M
Split a large file into several smaller files.