Happy Monday everybody! Victor Zapata here again to share some network tracing and PowerShell love.
Like many of you, I’m frequently called on to troubleshoot issues that involve network connectivity of some sort. These issues can range from poor network performance to complete network failure… and almost always require collecting network traces on two or more computers simultaneously.
I still remember the days where collecting simultaneous network traces required installing network sniffer software on multiple computers along with the seemingly impossible task of coordinating various resources to start and stop the data collections at the same time. Oh boy… what a hassle!
Well we can happily put those sad days in our rear view mirror! Beginning in Windows 7/Windows Server 2008 R2, installation of network sniffer software is no longer necessary. Netsh functionality was extended in Windows 7/Windows Server 2008 R2 and is now capable of leveraging Event Tracing for Windows (ETW) to collect network trace data. If you’re not familiar with this functionality, check out Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7 on TechNet.
For this implementation, we will be using the following two commands to start and stop network tracing on Windows Servers & Clients.
To start network tracing: NETSH TRACE START CAPTURE=YES TRACEFILE=<PATH>\<FILENAME.etl>
To stop network tracing: NETSH TRACE STOP
NOTE: There are some scenarios where network connectivity is dropped briefly when starting a network trace session using Netsh.
Things get even better beginning with Windows Server 2012 and later because PowerShell remoting is enabled by default. Because of this, we can use PowerShell to start, stop and collect network trace data programmatically and all from a central location without having to do anything special.
Here are the prerequisites to get this working:
1. Windows Server 2008 R2 / Windows 7 or later
2. PowerShell Remoting must be enabled (“winrm quickconfig”)
3. Administrator rights on all target computers
4. Network connectivity to each target computer (Firewall allows PS Remoting)
The following is an example of how to script the network trace data collection. To keep things simple, no error handling is included in this example.
DISCLAIMER: The sample code described herein is provided on an "as is" basis, without warranty of any kind.
When the script runs, network traces are kicked off on all target computers using the computer’s name in the output file name. The tracing status should show as “Running” on each target.
NOTE: When collecting a series of traces (multiple traces in the same day) you may wish to ensure name uniqueness by adding something like the current time to the output file name. For example, the following will set the variable $TIMESTAMP with the current Month, Date, Year, Hours, Minutes and Seconds as a string value.