-
Notifications
You must be signed in to change notification settings - Fork 55
Collect a Network Trace
The main tools we will be discussing are NETMON and NETSH, though WireShark is a good alternative and is also available on Linux systems. Your company may have a preferred capture tool already approved or in-place and it would be best to use that.
Depending on the scenario you want, different tools may offer some advantages over other tools.
Easily Reproducible Issue: If the issue is reliably reproducible, testing using WireShark or NETMON using the GUI is relatively simple method for performing the capture.
Long-Running Capture: Use NMCAP or WireShark with chain files. You can also use a circular capture, but have to terminate the capture quickly to prevent relevant data from being overwritten. Chain files are preferred. You may have to monitor how much disk space they take up and delete older files if your system is low on storage. WireShark can limit the number of chain files, NMCAP does not.
Cannot Install On the Server: NMCAP is installed on every version of Window since 2008 R2. You can capture a trace without having to install another tool.
Winsock Details: By using SCENARIO=NETCONNECTION, NETSH will also log WinSock and other low-level TCP events to the capture file.
Linux or MAC Systems: You can use WireShark on these systems or any other capture tool that is compatible with the PCAP format or other format that WireShark can open.
Note: Chain files are additional files generated once the capture has recorded a predetermined amount of data. Instead of having 6GB in a single file, which most tools won't open, you could have 12 x 500MB or 30 x 200MB capture files. SQL Network Analyzer can analyze all the chain trace files at once as if they were a single larger file. The report will tell you which file the issue is in, and the smaller files open and filter a lot more quickly than the larger files.
Note: To read NETSH files, you need to use NETMON.
Note: Do not capture to the SQL Server data disk. Do not capture to a network share. If possible, avoid capturing to the C: drive as it could impact paging performance, etc.
NETMON: http://www.microsoft.com/en-us/download/details.aspx?id=4865. Perform a complete install.
WireShark: www.wireshark.org
NETSH: Built into Windows 7 and Windows 2008 R2 and later.
###Sample NETSH Commands
Note: NETSH must be run from the Admin command prompt.
Note: NETSH does not allow for chained captures.
Note: Unless explicitly specified, the trace file ends up in %LocalAppData%\temp\NetTraces\NetTrace.etl
Note: Using the SCENARIO=NETCONNECTION command-line options results in a CAB file with the ETL trace file in it, plus some other files containing the basic network configuration of the machine.
NETSH TRACE STOP
Stops the capture. Some post processing must be performed and may take a minute or two, so do not close the window until the command prompt appears again.
NETSH SHOW STATUS
Displays whether a capture is running or not.
NETSH TRACE START CAPTURE=YES MAXSIZE=0
Basic capture with unlimited growth. The CAPTURE=YES argument must be specified for packet capture to occur.
NETSH TRACE START SCENARIO=NETCONNECTION CAPTURE=YES TRACEFILE=c:\temp%computername%.etl
Capture with socket events and explicitly specifies a location for the capture file.
NETSH TRACE START SCENARIO=NETCONNECTION CAPTURE=YES TRACEFILE=c:\temp%computername%.etl FILEMODE=CIRCULAR MAXSIZE=2048 PACKETTRUNCATEBYTES=250
Capture with socket events, circular capture, max file size of 2GB. Truncating the data portion of packets that is generally not required to allow the file to hold more frames. I would generally advise not to set the lower limit on the capture size below 180 as it can result in difficulties identifying what is going on.
NETSH TRACE START CAPTURE=YES IPv4.Address=10.10.10.10 Protocol=!DNS MAXSIZE=0
Using a filter to limit what packets are recorded. Note the use of '=' instead of '==' in the filter. For more help on filtering options: NETSH TRACE SHOW CAPTUREFILTERHELP