Techniques for Sifting Through the Data
Now that you know how to create event trace data, let's look at how you can transform that data into meaningful information. Microsoft provides a couple of command-line utilities for converting binary .etl files into usable data. The Win2K resource kit contains a utility called tracedmp.exe that lets you convert one or more .etl files into a .csv file that you can open in Microsoft Excel or another spreadsheet application for further analysis. Windows 2003 and XP include a command-line utility called tracerpt.exe. Both tracedmp.exe and tracerpt.exe are consumer applications within the ETW architecture. Although tracerpt.exe is part of Windows 2003 and XP, you can use this utility to process Win2K logs. Because tracerpt.exe includes some features not in tracedmp.exe, I recommend that you use tracerpt.exe whenever you need to process a Win2K trace log. However, Microsoft doesn't offer tracerpt.exe as a separate download. The only way you can obtain this utility is to purchase Windows 2003 or XP.

Note that if you run tracerpt.exe from a Windows 2003 or XP workstation but you're running the utility against a log created on Win2K server, tracerpt.exe might not be able to identify the transaction GUIDs registered on the Win2K server. Tracerpt.exe looks in the Windows Management Instrumentation (WMI) namespace on the machine on which it's running to determine the events to which a particular transaction GUID corresponds. If the machine on which you're generating the report doesn't have the same event trace providers as the machine on which you're running the trace, tracerpt.exe won't be able to get information about the events required to create the report files. Thus, if you're running tracerpt.exe against a log file created on a Win2K server that's logging AD information, I recommend that you run tracerpt.exe from a Windows 2003 domain controller (DC) that also has the AD providers registered in WMI.

Both tracedmp.exe and tracerpt.exe convert the binary .etl file into a .csv file. Both utilities also provide a text file that contains summary information about the logging session (e.g., the time it ran, how long it ran) and the events captured (i.e., each event's name, type, and number of occurrences as well as the GUID of the provider that created the event). However, tracedmp.exe creates the summary report automatically, whereas tracerpt.exe gives you the option to manually create it. Tracerpt.exe also gives you the option of creating a workload report. The workload report summarizes the processes and transactions traced during the logging session. For example, if you were monitoring process activity, the workload report would contain summary data on all processes that were running, the CPU time of each process, and the number of threads that each process used.

To use tracerpt.exe to generate a .csv file, summary report, and workload report from a binary log, you can use the command

tracerpt myfirstlog.etl 
mysecondlog.etl 
-o -summary -report

where myfirstlog.etl and mysecondlog.etl are the names of the .etl files you want to convert. For the -o, -summary, and -report parameters, you can specify filenames after each parameter. By default, if you don't provide a filename, tracerpt.exe creates the dumpfile.csv file for the detailed .csv file (the -o parameter), the summary.txt file for the summary report (the -summary parameter), and the workload.txt file for the workload report (the -report parameter). If you provide multiple .etl files as input, as I did in the example just given, tracerpt.exe concatenates the data in the .csv file, summary, and workload reports. The ability to combine reports is useful if you want to correlate data from multiple trace sessions taken within the same time frames. The version of tracerpt.exe that comes with Windows 2003 includes the ability to modify the output format of the summary and workload reports. You can generate XML, text, or HTML files.

The .csv file is the core output from a logging session. It contains each event that occurred during a session, the time it occurred, and the amount of kernel and user CPU time the event consumed. In addition, the .csv file contains any data associated with the transaction. For example, a Windows kernel network trace will include the following associated data: the TCP or UDP Send or Receive event (which shows the source and destination IP address and port) and the size of the bytes exchanged. You can import .csv files into Excel to make them more readable, but the reality is that tracing sessions can generate a lot of data. Thus, you need a more focused approach to get value from them. Let's look at how you can use ETW in the real world.

Prev. page     1 2 3 4 [5] 6 7     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Really enjoyed this article..great to have monitoring techniques that can provide so much more information and for what seems to be less of a system overhead as well.

John- January 05, 2004

Very interesting. For some reason local and even domain admin account didn't give me enough rights to start a log session with system providers.

israel- June 01, 2004

Good article but lacks in detail. Wwhat if I want to write code to analyze the ETL file myself? And how can registry be manipulated to enable tracing?

pranay- July 07, 2004

 
 

ADS BY GOOGLE