locked
ETW trace output from WFP RRS feed

  • Question

  • I suppose there are trace providers coming from WFP (tcpip.sys/netio.sys). If so what would be the easiest way to collect such traces? I am exclusively interested in info pertinent to Win7.

     

    Thanks!

    Tuesday, June 8, 2010 10:40 PM

Answers

  • you can use logman.exe query providers to see the available providers on the machine.  for WFP you would use the Microsoft-Windows-WFP provider.  (additionally you may be interested in Microsoft-Windows-TCPIP, and Microsoft-Windows-Winsock-AFD)

    To enable etw tracing you execute the following for each provider:

       LogMan.Exe Start WFPSession -p Microsoft-Windows-WFP -o WFP.etl -ets

    Here is a sample cmd file I created to easily do this:

    @ECHO OFF
    
    :SoF
    
     IF /I "%1" == "STOP" (
      goto :Stop)
    
    :Start
     Del AFD.etl
     Del TCPIP.etl
     Del NDIS.etl
     Del WFP.etl
    
     Del Trace.XML
    
     LogMan.Exe Start AFDSession -p Microsoft-Windows-WinSock-AFD   -o AFD.etl -ets
     LogMan.Exe Start TCPIPSession -p Microsoft-Windows-TCPIP    -o TCPIP.etl -ets
     LogMan.Exe Start NDISSession -p {83ED54F0-4D48-4E45-B16E-726FFD1FA4AF} -o NDIS.etl -ets
     LogMan.Exe Start WFPSession -p Microsoft-Windows-WFP     -o WFP.etl -ets
    
     goto :EoF
    
    :Stop
    
     LogMan.Exe Stop AFDSession -ets
     LogMan.Exe Stop TCPIPSession -ets
     LogMan.Exe Stop NDISSession -ets
     LogMan.Exe Stop WFPSession -ets
    
     TraceRpt.Exe AFD.etl TCPIP.etl NDIS.etl WFP.etl -o Trace.XML -of XML
    
    :EoF

    Hope this helps

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, June 9, 2010 2:14 AM
    Moderator

All replies

  • you can use logman.exe query providers to see the available providers on the machine.  for WFP you would use the Microsoft-Windows-WFP provider.  (additionally you may be interested in Microsoft-Windows-TCPIP, and Microsoft-Windows-Winsock-AFD)

    To enable etw tracing you execute the following for each provider:

       LogMan.Exe Start WFPSession -p Microsoft-Windows-WFP -o WFP.etl -ets

    Here is a sample cmd file I created to easily do this:

    @ECHO OFF
    
    :SoF
    
     IF /I "%1" == "STOP" (
      goto :Stop)
    
    :Start
     Del AFD.etl
     Del TCPIP.etl
     Del NDIS.etl
     Del WFP.etl
    
     Del Trace.XML
    
     LogMan.Exe Start AFDSession -p Microsoft-Windows-WinSock-AFD   -o AFD.etl -ets
     LogMan.Exe Start TCPIPSession -p Microsoft-Windows-TCPIP    -o TCPIP.etl -ets
     LogMan.Exe Start NDISSession -p {83ED54F0-4D48-4E45-B16E-726FFD1FA4AF} -o NDIS.etl -ets
     LogMan.Exe Start WFPSession -p Microsoft-Windows-WFP     -o WFP.etl -ets
    
     goto :EoF
    
    :Stop
    
     LogMan.Exe Stop AFDSession -ets
     LogMan.Exe Stop TCPIPSession -ets
     LogMan.Exe Stop NDISSession -ets
     LogMan.Exe Stop WFPSession -ets
    
     TraceRpt.Exe AFD.etl TCPIP.etl NDIS.etl WFP.etl -o Trace.XML -of XML
    
    :EoF

    Hope this helps

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, June 9, 2010 2:14 AM
    Moderator
  • WOW! I guess I received the red carpet treatment. THANKS!!!
    Wednesday, June 9, 2010 6:35 AM