Inside Event Tracing for Windows

(Although this command appears on several lines here, you would enter it all on one line when you type it at the command line. The same holds true for the other multiline commands in this article.) The Tracelog -start command creates a temporary logging session. When tracelog.exe creates a trace session, it enables, by default, four types of tracing: process creation and deletion, thread creation and deletion, network TCP/IP, and disk I/O. Because you want only TCP/IP tracing, the command includes the -noprocess, -nothread, and -nodisk parameters to disable process creation and deletion tracing, thread creation and deletion tracing, and disk I/O tracing, respectively. The -b parameter sets the trace buffer size to 128KB, and the -min and -max parameters specify the minimum and maximum number of buffers to allocate. The -f parameter tells tracelog.exe to send its binary output to the netfile.etl file in the perflogs folder. Note that the Tracelog -start command creates and starts the logging session in one step. If you want to stop the logging, you simply type the command

tracelog -stop

In Windows 2003, Microsoft provides a better command-line utility called logman.exe that you can use to manage trace sessions. Unlike tracelog.exe, logman.exe lets you use nonsystem providers. (Unfortunately, logman.exe won't work on a Win2K machine.) Logman.exe has several useful features, including the ability to list the currently registered providers on a box. To use this feature, you type the command

logman query providers

You can use the information in the resulting list to enable a provider for a particular logging session. For example, suppose you want to use logman.exe to enable AD tracing on a Windows 2003 machine. After you use the Logman query command to obtain the name of the provider you want to use (in this case, Active Directory: Core), you need to create a logging session. Logman.exe provides a huge array of command-line parameters. If you want to keep the command simple and accept all the defaults, you can use the following command to create an AD tracing session:

logman create trace AD_trace
-o c:\perflogs 
-p "Active Directory: Core"

This command tells logman.exe to create a new trace logging session called AD_trace. The trace keyword preceding the session's name is necessary because you can also use logman.exe to create Performance Monitor sessions, which produce a different kind of log. The -o parameter tells logman.exe to place the binary output file in the perflogs folder. The -p parameter specifies the name of the provider to use. You can use either the provider's name or the provider's globally unique identifier (GUID).

To start the logging session, you type the command

logman start AD_trace

When you use logman.exe to create a trace logging session, the session appears in the Performance Logs and Alerts snap-in's UI. You can use the UI to modify, start, or stop the session.