Extensible Switch Unified Tracing in Hyper-V 3.0: netsh

imageWhile I was building demo/lab for network virtualization, I wanted to see what is going on behind scenes in the virtual switch. One of the features of Hyper-V is unified tracing. Windows 2012 has a new netsh parameters to be able to capture Physical, Virtual machine traffic, and traffic that traverses the Hyper-V virtual switch.

Netsh is a command line utility built in Windows OS.

netsh:

is a command line, built-in tracing utility in Windows (Vista+) with network tracing capability. With Netsh; you do not need to install anything, can provide persistent tracing, circular logging, and a cab file (trace and other network related information), and can be scenario based.

Basic Syntax: netsh trace

start: Starts a trace session

Stop: Stops a trace session

Capture=yes: Turns on raw network capture from NDIS

Provider=ProviderName: Enables tracing for a specific provider

Show Providers: Shows a list of providers

Scenario=ScenarioName: Enables tracing for a specific scenario

Show Scenarios: Shows a list of scenarios

netsh trace show scenarios

Available scenarios (13):
——————————————————————-
AddressAcquisition       : Troubleshoot address acquisition-related issues
AddressAcquisitionServer : Troubleshoot address acquisition server related issues
DirectAccess             : Troubleshoot DirectAccess related issues
FileSharing              : Troubleshoot common file and printer sharing problems
InternetClient           : Diagnose web connectivity issues
InternetServer           : Set of HTTP service counters
L2SEC                    : Troubleshoot layer 2 authentication related issues
LAN                      : Troubleshoot wired LAN related issues
Layer2                   : Troubleshoot layer 2 connectivity related issues
NDIS                     : Troubleshoot network adapter related issues
NetConnection            : Troubleshoot issues with network connections
WFP-IPsec                : Troubleshoot Windows Filtering Platform and IPsec related issues
WLAN                     : Troubleshoot wireless LAN related issues

Providers in Windows 2012:

image


Enough for netsh : )

Hyper-V Virtual Switch Extensions:

Extensions are Filters or Windows Filtering Platform Providers. There are three types of Extensions.

image

        1. Capture extensions: Inspects traffic and generate new packets, but cannot modify it
        2. Filtering Extensions: Inspect, drop, modify, and insert packets (Windows Filter Platform (WFP)) (example, windows firewall)
        3. Forwarding extensions: forwards packets, can capture and filter traffic

Hyper-V Virtual Switch Extension Cmdlets:

Get-vmSwitch
Get-vmSwitchExtension –vmSwitchName switchName
Enable-vmSwitchExtension –vmSwitchName switchName -Name extensionName
Disable-vmSwitchExtension –vmSwitchName switchName -Name extensionName

Capturing packets and events:

Windows Network Virtualization events:
Netsh trace start provider=Microsoft-windows-wnv level=5
LEVELS:

1 – Critical: Only critical events

2 – Errors: Critical events and errors

3 –Warnings: Critical events, errors, and warnings

4 –Informational: Critical events, errors, warnings, and informational events

5 – Verbose: All events

Virtual switch events and packets:
Netsh trace start provider=Microsoft-Windows-Hyper-V-VmSwitch capture=yes capturetype=vmswitch
To capture both Virtual Switch and Network Virtualization Events:
Netsh trace start provider=Microsoft-windows-wnv level=5 provider=Microsoft-Windows-Hyper-V-VmSwitch capture=yes capturetype=vmswitch

After reproducing the issue, stop the trace with netsh trace stop command.

Convert the ETL files:
Netsh trace convert file_name

image

Once the trace is stopped, you will see 1 etl, 1 cab, and if converted, 1 text file in the directory.

image

cab file includes:

adapterinfo.txt

allcred.reg.txt

allcredfilter.reg.txt

dns.txt

envinfo.txt

filesharing.txt

gpresult.txt

neighbors.txt

netevents.xml

neteventslog.txt

netiostate.txt

networkprofiles.reg.txt

notif.reg.txt

osinfo.txt

report.etl

report.html

sysports.xml

sysportslog.txt

tempfile.txt

wcninfo.txt

wfpfilters.xml

wfplog.log

wfpstate.xml

wfpstatelog.txt

windowsfirewallconfig.txt

windowsfirewallconseclog.evtx

windowsfirewallconseclogverbose.evtx

windowsfirewallconseclogverbose_1033.mta

windowsfirewallconseclog_1033.mta

windowsfirewalleffectiverules.txt

windowsfirewalllog.evtx

windowsfirewalllogverbose.evtx

windowsfirewalllogverbose_1033.mta

windowsfirewalllog_1033.mta

winsockcatalog.txt

 

Converted txt file:

image

Trace files can be viewed in netmon. After opening the trace file, go to Tools, options, click on Parser Profiles, and on Windows, right click and choose set as active enable full parsers.

image

image

Netmon parsers: http://nmparsers.codeplex.com/

Bulent Tolu

Bulent Tolu

Bulent is an IT professional with Master's in MIS and 10-years of experience in broad range of Information Technologies. He is exposed to engineering/architecting, implementation/integration, and administration of various high-available IT systems and infrastructure. He has a passion to continually research, test and evaluate new technologies and follow industry best practices to secure and optimize IT systems. Currently, he lives in Istanbul and works as a Sr. Cloud Computing and Virtualization Consultant. He has a diverse knowledge and interest in Virtualization and Cloud Computing.

:: VMware Certified Advanced Professional 5
Data Center Administration (VCAP5-DCA)
:: VTSP (VMware Certified Technical Sales Professional 5)
:: MCSE(Microsoft Certified Solutions Expert) – Private Cloud 2012
:: CCEE(Citrix Certified Enterprise Engineer)
Bulent ToluBulent ToluBulent Tolu Bulent Tolu

Bulent Tolu

One Comment

  1. [...] It is also possible to create an netsh trace to see the packets. I will write about this in another post. It is here: [...]

Leave a Reply