Windows Seven netsh trace command

Microsoft Windows [Version 6.1.7000]
(C) Copyright 2009 Microsoft Corp.

C:\Windows>netsh trace ?

The following commands are available:

Commands in this context:
?              - Displays a list of commands.
convert        - Converts a trace file to an HTML report.
correlate      - Normalizes or filters a trace file to a new output file.
diagnose       - Start a diagnose session.
dump           - Displays a configuration script.
help           - Displays a list of commands.
show           - List interfaces, providers and tracing state.
start          - Starts tracing.
stop           - Stops tracing.

To view help for a command, type the command, followed by a space, and then
 type ?.

C:\Windows>netsh trace convert ?

convert

  Converts a trace file to an HTML report.

  Usage: convert [input=]tracefilename.etl [[output=]filename] 
          [[dump=]CSV|XML|EVTX|TXT|No] [[report=]yes|no]
          [[overwrite=]yes|no] [[tmfpath=]pathname] 

  Parameters: 

    Tag             Value 
    input         - Input ETL trace file 
    output        - Output file name (defaults to input name) 
    dump          - Output format (default = TXT)
    report        - Generates an HTML report (default = no) 
    overwrite     - Overwrites existing files (default = no) 
    tmfpath       - Path to tmf files for decoding WPP traces 

  Remarks: Converts the input ETL file to the specified format. 

C:\Windows>netsh trace correlate ?

correlate
  Normalizes or filters a trace file to a new output file.

  Usage: trace correlate [input=]tracefilename.etl
	[output=]newtracefilename.etl 
	[[filter=]Activity_ID] [[overwrite=]yes|no] 
	[[retaincorrelationevents=]yes|no] [[retainpii=]yes|no] [[retainglobalevents=]yes|no] 

  Parameters: 

	Tag                        Value 
	input                    - Input ETL trace file 
	output                   - Output file name 
	filter                   - Output only events related to this Activity GUID 
	overwrite                - Overwrites existing files 
	retaincorrelationevents  - Retains correlation events 
	retainpii                - Retains events containing personally identifiable information 
	retainglobalevents       - Retains global events 

  Defaults: 
	filter=none 
	overwrite=no 
	retaincorrevents=no 
	retainpii=yes 
	retainglobalevents=yes 
 
  Remarks: 
	Filter activity ID is a GUID expressed in the form {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} 
	Personally identifiable information includes packet capture events 

C:\Windows>netsh trace diagnose ?

diagnose

  Starts a diagnose session.

  Usage: diagnose [scenario=]<scenarioname> [[namedAttribute=]<attributeValue>] 
          [[saveSessionTrace=]<yes|no>] [[report=]<yes|no>] [[capture=]<yes|no>] 

  Defaults:
      saveSessionTrace=no (defaults to 'yes' if report=yes is specified) 
      capture=no 
      report=no 

  Remarks: Starts a diagnose session 

C:\Windows>netsh trace dump ?

Usage: dump

Remarks: 
    Creates a script that contains the current configuration.  If saved to a
    file, this script can be used to restore altered configuration settings.

C:\Windows>netsh trace help ?

Usage: help

Remarks: 
       Displays a list of commands.

C:\Windows>netsh trace show ?

The following commands are available:

Commands in this context:
show CaptureFilterHelp - List supported capture filters and usage.
show globalKeywordsAndLevels - List global keywords and levels.
show helperclass - Show helper class information.
show interfaces - List available interfaces.
show provider  - Shows provider information.
show providers - Shows available providers.
show scenario  - Shows scenario information.
show scenarios - Shows available scenarios.
show status    - Shows tracing configuration.

C:\Windows>netsh trace show CaptureFilterHelp ?

show CaptureFilterHelp

  List supported capture filters and usage.

  Usage: trace show CaptureFilterHelp 

C:\Windows>netsh trace show globalKeywordsAndLevels ?

show globalKeywordsAndLevels

  Shows a list of global keywords and levels that may be used with the
  start command.

  Usage: trace show globalKeywordsAndLevels

C:\Windows>netsh trace show helperclass ?

show helperclass

  Shows helper class name, description and list of dependent helper classes. 
  This also lists possible root causes and repairs that may be returned by  
  the helper class. 

      Usage: trace show helperclass [name=]<helperclassname> 

C:\Windows>netsh trace show interfaces ?

show interfaces

  Shows a list of network interfaces.

  Usage: trace show interfaces

C:\Windows>netsh trace show provider ?

show provider

  Shows provider information that can be used with the start command.

      Usage: trace show provider [name=]<providerIdOrName>

      Remarks: This displays the keywords and levels that the specified 
           provider supports. These keywords and levels may be used 
           while starting a tracing session. 

C:\Windows>netsh trace show providers ?

show providers

  Shows a list of available providers that may be used with the start command.

C:\Windows>netsh trace show scenario ?

show scenario

  Shows scenario information.

      Usage: trace show scenario [name=]<scenarioname>

      Remarks: This displays additional information about a scenario including 
           any attributes that may be required by the 'diagnose command and 
           the list of providers that would be enabled for the specified 
           scenario, along with the default keywords and levels that would 
           be applied. 

C:\Windows>netsh trace show scenarios ?

show scenarios

  Shows a list of available scenarios that may be used with the start command.

C:\Windows>netsh trace show status ?

show status

  Shows tracing configuration.

C:\Windows>netsh trace start ?

start
  Starts tracing.

  Usage: trace start [[scenario=]<scenario1,scenario2>] 
	[[globalKeywords=]keywords] [[globalLevel=]level]
	[[capture=]yes|no] [[report=]yes|no]
	[[persistent=]yes|no] [[traceFile=]path\filename] 
	[[maxSize=]filemaxsize] [[fileMode=]single|circular|append] 
	[[overwrite=]yes|no] [[correlation=]yes|no|disabled] [capturefilters] 
	[[provider=]providerIdOrName] [[keywords=]keywordMaskOrSet]  
	[[level=]level] [[provider=]provider2IdOrName] 
	[[keywords=]keyword2MaskOrSet] [[level=]level2] ... 

Defaults: 
	capture=no (specifies whether packet capture is enabled
		in addition to trace events)
	report=no (specifies whether a complementing report will be generated
		along with the trace file)
	persistent=no (specifies whether the tracing session continues
		across reboots, and is on until netsh trace stop is issued)
	maxSize=250 MB (specifies the maximum trace file size, 0=no maximum)
	fileMode=circular
	overwrite=yes (specifies whether an existing trace output file will
		be overwritten)
	correlation=yes (specifies whether related events will be correlated
		and grouped together)
	traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl
		(specifies location of the output file)

Provider keywords default to all and level to 255 unless otherwise specified.

For example:

netsh trace start scenario=InternetClient capture=yes

	Starts tracing for the InternetClient scenario and dependent providers
		with packet capture enabled.
	Tracing will stop when the "netsh trace stop" command is issued
		or when the system reboots.
	Default location and name will be used for the output file. If an old
		file exists, it will be overwritten.

netsh trace start provider=microsoft-windows-wlan-autoconfig
	keywords=state,ut:authentication

	Starts tracing for the microsoft-windows-wlan-autoconfig provider
	Tracing will stop when the "netsh trace stop" command is issued
		or when the system reboots.
	Default location and name will be used for the output file. If an old
		file exists, it will be overwritten.
	Only events with keyword 'state' or 'ut:authentication' will be logged.

	netsh trace show provider command can be used to display
		supported keywords and levels.

Capture Filters: 
	Capture filters are only supported when capture is explicitly
	enabled with capture=yes. Use 'netsh trace show CaptureFilterHelp'
	to display a list of supported capture filters and their usage.

C:\Windows>netsh trace stop ?

stop

  Stops tracing.

  Remarks: Stops a network tracing session currently in progress