Netlog
Other versions of this page are also available for the following:
.gif "A hyphen indicates that the information in this topic is not relevant for this platform, or that the platform does not support the API that is listed.")
.gif "A checkmark indicates that the information in this topic is relevant for this platform, and that any API listed is also supported on this platform.")
8/28/2008
Netlog is a sample tool that logs network traffic. It produces files that can be read by using the Microsoft Windows Network Monitor (NetMon) .Netlog has no arguments of its own, but is controlled by the Netlogctl sample command-line tool. For more information, see Netlogctl.
Remarks
A sample of the Netlog tool is in the %_WINDOWS%\public\oak\utils directory.
By default, the network traffic log is saved in the root directory on the target device in either Netlog0.cap or Netlog1.cap. When the current file is full, the log is continued in the other file.
This behavior prevents the device from running out of memory.
NDIS always tries to load Netlog when it is available. However, it is loaded in the stopped state by default. The following list shows best practices:
- If performance is critical, do not include Netlog in your image.
- If you want to debug the first few packets arriving in your system, you must modify Netlog.dll so that it will load in the started state.
Netlog settings can be adjusted using Netlogctl. The following example shows typical output produced by Netlog using the default settings.
Time # bytes captured FileName FileSize Contains
0 400k \netlog0.cap 400k 0 - 400k
1 700k \netlog0.cap 500k 0 - 500k
1 700k \netlog1.cap 200k 500k - 700k
2 1100k \netlog0.cap 100k 1.0M - 1.1M
2 1100k \netlog1.cap 500k 500k - 1.0M
If you use an intermediate driver, Netlog logs the packets twice. The first time is from the intermediate driver to the miniport.
Netlog logs network traffic for all adapters in the same file.
Netlog does not set the adapter to promiscuous mode before logging. Therefore, unicast packets that are directed to other machines are not logged.
Netlog logs both edges of Point-to-Point Protocol (PPP) packets, at the IP edge and the PPP edge. The IP edge is the edge of PPP that is next to TCP/IP, and the PPP edge is next to NDIS. Because there is no Media Access Control (MAC) frame at these edges, Netlog inserts its own MAC frame. The MAC address is changed, based on transmit (TX) and receive (RX). The following example shows typical output produced by Netlog when using PPP.
PPP/IP RX/TX MAC Dest MAC Src In Ascii
IP TX 54:78:20:40:50:20 20:6e:65:74:6c:67 Tx IP netlg
IP RX 52:78:20:40:50:20 20:6e:65:74:6c:67 Rx IP netlg
PPP TX 54:78:20:50:50:50 20:6e:65:74:6c:67 Tx PPP netlg
PPP RX 52:78:20:50:50:50 20:6e:65:74:6c:67 Rx PPP netlg
To enable the network monitor easily decode the stream, the PPP packet is converted to PPP over Ethernet (PPPoE) at the PPP edge.
If PPPoE is used, the following three packets are logged for each TX or RX:
- One IP frame with a fake MAC address.
- One PPPOE frame with a fake MAC address.
- One real PPPoE frame.