!ndiskd.nbllog
The !ndiskd.nbllog extension displays the log of all NBL (NET_BUFFER_LIST) activity on the system.
!ndiskd.nbllog [-stacks]
Parameters
-stacks
Include callstacks.
DLL
Ndiskd.dll
Remarks
Important !ndiskd.nbllog requires NBL tracking to be enabled on the debugee target machine. NBL tracking is not enabled by default in all configurations of Windows. If NBL tracking is not enabled, !ndiskd will give you instructions on how to enable it, as shown in the following snippet.
0: kd> !ndiskd.nbllog
This command requires NBL tracking to be enabled on the debugee target
machine. (By default, client operating systems have level 1, and servers
have level 0). To enable, set this REG_DWORD value to a nonzero value on
the target machine and reboot the target machine:
HKLM\SYSTEM\CurrentControlSet\Services\NDIS\Parameters ! TrackNblOwner
Possible Values (features are cumulative)
* 0: Disable all tracking.
* 1: Track the most recent owner of each NBL (enables !ndiskd.pendingnbls)
* 2: Scan for leaks at runtime (use with StuckNblReaction)
* 3: Keep a full history of all activity (enables !ndiskd.nbl -log)
* 4: Take stack capture snapshots (enables !ndiskd.nbl -log -stacks)
This command requires level 3 or higher.
The NBL log shows network traffic on the system. !ndiskd.netreport parses the NBL tracking log to display this network traffic visually. Therefore, if NBL tracking is not enabled, !ndiskd.netreport will not be able to show you this information.
Examples
After you have enabled NBL tracking on the target debugee machine, enter the !ndiskd.nbllog command to see the log of all NBL traffic on the system. As shown in the example below, running !ndiskd.nbllog with no parameters will limit output to 200 events, which can be bypassed by rerunning the command with the -force option. The middle of the output in this example has been excised for brevity.
0: kd> !ndiskd.nbllog
NBLs Processor Event Detail
ffffe00bc71453f0 CPU 0 Freed
ffffe00bc7163b40 CPU 2 Allocated
ffffe00bc7163b40 CPU 2 ProtocolSent ffffe00bc5ac4880 - QoS Packet Scheduler-0000
ffffe00bc7163b40 CPU 2 FilterSent ffffe00bc5ac5c70 - WFP Native MAC Layer LightWeight Filter-0000
ffffe00bc7163b40 CPU 2, IRQL=DPC FilterSent ffffe00bc3f701a0 - Microsoft Kernel Debug Network Adapter
ffffe00bc7163b40 CPU 2, IRQL=DPC SentToMiniport ffffe00bc3f701a0 - Microsoft Kernel Debug Network Adapter
ffffe00bc7163b40 CPU 0, IRQL=DPC MiniportSendCompleted ffffe00bc5ac5c70 - WFP Native MAC Layer LightWeight Filter-0000
ffffe00bc7163b40 CPU 0, IRQL=DPC FilterSendCompleted ffffe00bc5ac4880 - QoS Packet Scheduler-0000
ffffe00bc7163b40 CPU 0, IRQL=DPC FilterSendCompleted send complete in NDIS, sorting to Opens
ffffe00bc7163b40 CPU 0, IRQL=DPC SendCompleted ffffe00bc5ab7c10 - TCPIP6
...
ffffe00bc6b469b0 CPU 2 Allocated
ffffe00bc6b469b0 CPU 2 Freed
ffffe00bc64a3690 CPU 2 Allocated
ffffe00bc64a3690 CPU 2 ProtocolSent ffffe00bc5ac4880 - QoS Packet Scheduler-0000
ffffe00bc64a3690 CPU 2 FilterSent ffffe00bc5ac5c70 - WFP Native MAC Layer LightWeight Filter-0000
ffffe00bc64a3690 CPU 2, IRQL=DPC FilterSent ffffe00bc3f701a0 - Microsoft Kernel Debug Network Adapter
ffffe00bc64a3690 CPU 2, IRQL=DPC SentToMiniport ffffe00bc3f701a0 - Microsoft Kernel Debug Network Adapter
ffffe00bc3cf2d10 CPU 1 Allocated
ffffe00bc7bc6030 CPU 1 Allocated
ffffe00bc3cf2d10 CPU 1 ProtocolSent ffffe00bc5ac4880 - QoS Packet Scheduler-0000
Maximum of 200 events printed; quitting early.
Rerun with the '-force' option to bypass this limit.
For a more detailed description of how to interpret the results of !ndiskd.nbllog, see !ndiskd.nbl -log on the NDIS blog.