#line 1 "C:\\WINDOWS\\SYSTEM32\\WBEM\\EN-US\\NETEVENTPACKETCAPTURE.MFL" #pragma autorecover #pragma namespace("\\\\.\\root\\standardcimv2") instance of __namespace{ name="MS_409";}; #pragma namespace("\\\\.\\root\\standardcimv2\\MS_409") [Version("2.7.0") : Amended,Description("CIM_Component is a generic association used to establish \\'part of\\' relationships between Managed Elements. For example, it could be used to define the components or parts of a System.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class CIM_Component { [key,Description("The parent element in the association.") : Amended ToSubclass] CIM_ManagedElement Ref GroupComponent; [key,Description("The child element in the association.") : Amended ToSubclass] CIM_ManagedElement Ref PartComponent; }; [Version("2.19.0") : Amended,Description("ManagedElement is an abstract class that provides a common superclass (or top of the inheritance tree) for the non-association classes in the CIM Schema.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class CIM_ManagedElement { [Description("InstanceID is an optional property that may be used to opaquely and uniquely identify an instance of this class within the scope of the instantiating Namespace. Various subclasses of this class may override this property to make it required, or a key. Such subclasses may also modify the preferred algorithms for ensuring uniqueness that are defined below.\nTo ensure uniqueness within the NameSpace, the value of InstanceID should be constructed using the following \"preferred\" algorithm: \n: \nWhere and are separated by a colon (:), and where must include a copyrighted, trademarked, or otherwise unique name that is owned by the business entity that is creating or defining the InstanceID or that is a registered ID assigned to the business entity by a recognized global authority. (This requirement is similar to the _ structure of Schema class names.) In addition, to ensure uniqueness, must not contain a colon (:). When using this algorithm, the first colon to appear in InstanceID must appear between and . \n is chosen by the business entity and should not be reused to identify different underlying (real-world) elements. If not null and the above \"preferred\" algorithm is not used, the defining entity must assure that the resulting InstanceID is not reused across any InstanceIDs produced by this or other providers for the NameSpace of this instance. \nIf not set to null for DMTF-defined instances, the \"preferred\" algorithm must be used with the set to CIM.") : Amended ToSubclass] string InstanceID; [Description("The Caption property is a short textual description (one- line string) of the object.") : Amended ToSubclass] string Caption; [Description("The Description property provides a textual description of the object.") : Amended ToSubclass] string Description; [Description("A user-friendly name for the object. This property allows each instance to define a user-friendly name in addition to its key properties, identity data, and description information. \nNote that the Name property of ManagedSystemElement is also defined as a user-friendly name. But, it is often subclassed to be a Key. It is not reasonable that the same property can convey both identity and a user-friendly name, without inconsistencies. Where Name exists and is not a Key (such as for instances of LogicalDevice), the same information can be present in both the Name and ElementName properties. Note that if there is an associated instance of CIM_EnabledLogicalElementCapabilities, restrictions on this properties may exist as defined in ElementNameMask and MaxElementNameLen properties defined in that class.") : Amended ToSubclass] string ElementName; }; [Description("CIM_ManagedSystemElement is the base class for the System Element hierarchy. Any distinguishable component of a System is a candidate for inclusion in this class. Examples of system components include: \n- software components such as application servers, databases, and applications \n- operating system components such as files, processes, and threads \n- device components such as disk drives, controllers, processors, and printers \n- physical components such as chips and cards.") : Amended ToSubclass,Version("2.22.0") : Amended,AMENDMENT, LOCALE("MS_409")] class CIM_ManagedSystemElement : CIM_ManagedElement { [Description("A datetime value that indicates when the object was installed. Lack of a value does not indicate that the object is not installed.") : Amended ToSubclass] datetime InstallDate; [Description("The Name property defines the label by which the object is known. When subclassed, the Name property can be overridden to be a Key property.") : Amended ToSubclass] string Name; [Description("Indicates the current statuses of the element. Various operational statuses are defined. Many of the enumeration\\'s values are self-explanatory. However, a few are not and are described here in more detail. \n\"Stressed\" indicates that the element is functioning, but needs attention. Examples of \"Stressed\" states are overload, overheated, and so on. \n\"Predictive Failure\" indicates that an element is functioning nominally but predicting a failure in the near future. \n\"In Service\" describes an element being configured, maintained, cleaned, or otherwise administered. \n\"No Contact\" indicates that the monitoring system has knowledge of this element, but has never been able to establish communications with it. \n\"Lost Communication\" indicates that the ManagedSystem Element is known to exist and has been contacted successfully in the past, but is currently unreachable. \n\"Stopped\" and \"Aborted\" are similar, although the former implies a clean and orderly stop, while the latter implies an abrupt stop where the state and configuration of the element might need to be updated. \n\"Dormant\" indicates that the element is inactive or quiesced. \n\"Supporting Entity in Error\" indicates that this element might be \"OK\" but that another element, on which it is dependent, is in error. An example is a network service or endpoint that cannot function due to lower-layer networking problems. \n\"Completed\" indicates that the element has completed its operation. This value should be combined with either OK, Error, or Degraded so that a client can tell if the complete operation Completed with OK (passed), Completed with Error (failed), or Completed with Degraded (the operation finished, but it did not complete OK or did not report an error). \n\"Power Mode\" indicates that the element has additional power model information contained in the Associated PowerManagementService association. \nOperationalStatus replaces the Status property on ManagedSystemElement to provide a consistent approach to enumerations, to address implementation needs for an array property, and to provide a migration path from today\\'s environment to the future. This change was not made earlier because it required the deprecated qualifier. Due to the widespread use of the existing Status property in management applications, it is strongly recommended that providers or instrumentation provide both the Status and OperationalStatus properties. Further, the first value of OperationalStatus should contain the primary status for the element. When instrumented, Status (because it is single-valued) should also provide the primary status of the element.") : Amended ToSubclass,Values{"Unknown", "Other", "OK", "Degraded", "Stressed", "Predictive Failure", "Error", "Non-Recoverable Error", "Starting", "Stopping", "Stopped", "In Service", "No Contact", "Lost Communication", "Aborted", "Dormant", "Supporting Entity in Error", "Completed", "Power Mode", "DMTF Reserved", "Vendor Reserved"} : Amended ToSubclass] uint16 OperationalStatus[]; [Description("Strings describing the various OperationalStatus array values. For example, if \"Stopping\" is the value assigned to OperationalStatus, then this property may contain an explanation as to why an object is being stopped. Note that entries in this array are correlated with those at the same array index in OperationalStatus.") : Amended ToSubclass] string StatusDescriptions[]; [Description("A string indicating the current status of the object. Various operational and non-operational statuses are defined. This property is deprecated in lieu of OperationalStatus, which includes the same semantics in its enumeration. This change is made for 3 reasons: \n1) Status is more correctly defined as an array. This definition overcomes the limitation of describing status using a single value, when it is really a multi-valued property (for example, an element might be OK AND Stopped. \n2) A MaxLen of 10 is too restrictive and leads to unclear enumerated values. \n3) The change to a uint16 data type was discussed when CIM V2.0 was defined. However, existing V1.0 implementations used the string property and did not want to modify their code. Therefore, Status was grandfathered into the Schema. Use of the deprecated qualifier allows the maintenance of the existing property, but also permits an improved definition using OperationalStatus.") : Amended ToSubclass] string Status; [Description("Indicates the current health of the element. This attribute expresses the health of this element but not necessarily that of its subcomponents. The possible values are 0 to 30, where 5 means the element is entirely healthy and 30 means the element is completely non-functional. The following continuum is defined: \n\"Non-recoverable Error\" (30) - The element has completely failed, and recovery is not possible. All functionality provided by this element has been lost. \n\"Critical Failure\" (25) - The element is non-functional and recovery might not be possible. \n\"Major Failure\" (20) - The element is failing. It is possible that some or all of the functionality of this component is degraded or not working. \n\"Minor Failure\" (15) - All functionality is available but some might be degraded. \n\"Degraded/Warning\" (10) - The element is in working order and all functionality is provided. However, the element is not working to the best of its abilities. For example, the element might not be operating at optimal performance or it might be reporting recoverable errors. \n\"OK\" (5) - The element is fully functional and is operating within normal operational parameters and without error. \n\"Unknown\" (0) - The implementation cannot report on HealthState at this time. \nDMTF has reserved the unused portion of the continuum for additional HealthStates in the future.") : Amended ToSubclass,Values{"Unknown", "OK", "Degraded/Warning", "Minor failure", "Major failure", "Critical failure", "Non-recoverable error", "DMTF Reserved"} : Amended ToSubclass] uint16 HealthState; [Description("CommunicationStatus indicates the ability of the instrumentation to communicate with the underlying ManagedElement. CommunicationStatus consists of one of the following values: Unknown, None, Communication OK, Lost Communication, or No Contact. \nA Null return indicates the implementation (provider) does not implement this property. \n\"Unknown\" indicates the implementation is in general capable of returning this property, but is unable to do so at this time. \n\"Not Available\" indicates that the implementation (provider) is capable of returning a value for this property, but not ever for this particular piece of hardware/software or the property is intentionally not used because it adds no meaningful information (as in the case of a property that is intended to add additional info to another property). \n\"Communication OK \" indicates communication is established with the element, but does not convey any quality of service. \n\"No Contact\" indicates that the monitoring system has knowledge of this element, but has never been able to establish communications with it. \n\"Lost Communication\" indicates that the Managed Element is known to exist and has been contacted successfully in the past, but is currently unreachable.") : Amended ToSubclass,Values{"Unknown", "Not Available", "Communication OK", "Lost Communication", "No Contact", "DMTF Reserved", "Vendor Reserved"} : Amended ToSubclass] uint16 CommunicationStatus; [Description("DetailedStatus compliments PrimaryStatus with additional status detail. It consists of one of the following values: Not Available, No Additional Information, Stressed, Predictive Failure, Error, Non-Recoverable Error, SupportingEntityInError. Detailed status is used to expand upon the PrimaryStatus of the element. \nA Null return indicates the implementation (provider) does not implement this property. \n\"Not Available\" indicates that the implementation (provider) is capable of returning a value for this property, but not ever for this particular piece of hardware/software or the property is intentionally not used because it adds no meaningful information (as in the case of a property that is intended to add additional info to another property). \n\"No Additional Information\" indicates that the element is functioning normally as indicated by PrimaryStatus = \"OK\". \n\"Stressed\" indicates that the element is functioning, but needs attention. Examples of \"Stressed\" states are overload, overheated, and so on. \n\"Predictive Failure\" indicates that an element is functioning normally but a failure is predicted in the near future. \n\"Non-Recoverable Error \" indicates that this element is in an error condition that requires human intervention. \n\"Supporting Entity in Error\" indicates that this element might be \"OK\" but that another element, on which it is dependent, is in error. An example is a network service or endpoint that cannot function due to lower-layer networking problems.") : Amended ToSubclass,Values{"Not Available", "No Additional Information", "Stressed", "Predictive Failure", "Non-Recoverable Error", "Supporting Entity in Error", "DMTF Reserved", "Vendor Reserved"} : Amended ToSubclass] uint16 DetailedStatus; [Description("OperatingStatus provides a current status value for the operational condition of the element and can be used for providing more detail with respect to the value of EnabledState. It can also provide the transitional states when an element is transitioning from one state to another, such as when an element is transitioning between EnabledState and RequestedState, as well as other transitional conditions.\nOperatingStatus consists of one of the following values: Unknown, Not Available, In Service, Starting, Stopping, Stopped, Aborted, Dormant, Completed, Migrating, Emmigrating, Immigrating, Snapshotting. Shutting Down, In Test \nA Null return indicates the implementation (provider) does not implement this property. \n\"Unknown\" indicates the implementation is in general capable of returning this property, but is unable to do so at this time. \n\"None\" indicates that the implementation (provider) is capable of returning a value for this property, but not ever for this particular piece of hardware/software or the property is intentionally not used because it adds no meaningful information (as in the case of a property that is intended to add additional info to another property). \n\"Servicing\" describes an element being configured, maintained, cleaned, or otherwise administered. \n\"Starting\" describes an element being initialized. \n\"Stopping\" describes an element being brought to an orderly stop. \n\"Stopped\" and \"Aborted\" are similar, although the former implies a clean and orderly stop, while the latter implies an abrupt stop where the state and configuration of the element might need to be updated. \n\"Dormant\" indicates that the element is inactive or quiesced. \n\"Completed\" indicates that the element has completed its operation. This value should be combined with either OK, Error, or Degraded in the PrimaryStatus so that a client can tell if the complete operation Completed with OK (passed), Completed with Error (failed), or Completed with Degraded (the operation finished, but it did not complete OK or did not report an error). \n\"Migrating\" element is being moved between host elements. \n\"Immigrating\" element is being moved to new host element. \n\"Emigrating\" element is being moved away from host element. \n\"Shutting Down\" describes an element being brought to an abrupt stop. \n\"In Test\" element is performing test functions. \n\"Transitioning\" describes an element that is between states, that is, it is not fully available in either its previous state or its next state. This value should be used if other values indicating a transition to a specific state are not applicable.\n\"In Service\" describes an element that is in service and operational.") : Amended ToSubclass,Values{"Unknown", "Not Available", "Servicing", "Starting", "Stopping", "Stopped", "Aborted", "Dormant", "Completed", "Migrating", "Emigrating", "Immigrating", "Snapshotting", "Shutting Down", "In Test", "Transitioning", "In Service", "DMTF Reserved", "Vendor Reserved"} : Amended ToSubclass] uint16 OperatingStatus; [Description("PrimaryStatus provides a high level status value, intended to align with Red-Yellow-Green type representation of status. It should be used in conjunction with DetailedStatus to provide high level and detailed health status of the ManagedElement and its subcomponents. \nPrimaryStatus consists of one of the following values: Unknown, OK, Degraded or Error. \"Unknown\" indicates the implementation is in general capable of returning this property, but is unable to do so at this time. \n\"OK\" indicates the ManagedElement is functioning normally. \n\"Degraded\" indicates the ManagedElement is functioning below normal. \n\"Error\" indicates the ManagedElement is in an Error condition.") : Amended ToSubclass,Values{"Unknown", "OK", "Degraded", "Error", "DMTF Reserved", "Vendor Reserved"} : Amended ToSubclass] uint16 PrimaryStatus; }; [Description("CIM_LogicalElement is a base class for all the components of a System that represent abstract system components, such as Files, Processes, or LogicalDevices.") : Amended ToSubclass,Version("2.6.0") : Amended,AMENDMENT, LOCALE("MS_409")] class CIM_LogicalElement : CIM_ManagedSystemElement { }; [Description("This class encapsulates the association between the packet capture provider and a packet capture target.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventCaptureTarget_CaptureProvider : CIM_Component { [key,Description("Identifies the packet capture provider.") : Amended ToSubclass] MSFT_NetEventPacketCaptureProvider Ref GroupComponent; [key,Description("Identifies the packet capture target.") : Amended ToSubclass] MSFT_NetEventPacketCaptureTarget Ref PartComponent; }; [Description("This class encapsulates a Packet Capture Target on a computer") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventPacketCaptureTarget : CIM_LogicalElement { [Description("Name of the object") : Amended ToSubclass] string Name; [key,Description("The Unique identifying key of the object.") : Amended ToSubclass] string Id; [Description("Name of the packet capture provider.") : Amended ToSubclass] string ProviderName; [Description("Current status of the Capture.") : Amended ToSubclass] uint32 CaptureStatus; }; [Description("This class encapsulates a target network adapter, on which the traffic is to be captured.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventNetworkAdapter : MSFT_NetEventPacketCaptureTarget { [Description("The friendly name or description of the target network adapter.") : Amended ToSubclass] string InterfaceDescription; }; [Description("This class encapsulates an ETW provider on a computer for the event capture.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventProviderBase : CIM_LogicalElement { [Description("The name of the provider") : Amended ToSubclass] string Name; [key,Description("Guid, the unique id of the provider installed on the computer.") : Amended ToSubclass] string Guid; [key,Description("Guid, the unique id of the session, when part of a session. NULL Guid otherwise.") : Amended ToSubclass] string SessionGuid; [Description("The session of the provider, when part of a session.") : Amended ToSubclass] string SessionName; [Description("The maximum event level for the event capture.") : Amended ToSubclass] uint8 Level; [Description("The MatchAnyKeyword mask specified for the event capture.") : Amended ToSubclass] uint64 MatchAnyKeyword; [Description("The MatchAllKeyword mask specified for the event capture.") : Amended ToSubclass] uint64 MatchAllKeyword; }; [Description("This class encapsulates the Packet Capture Filter ETW provider on a computer") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventPacketCaptureProvider : MSFT_NetEventProviderBase { [Description("Type of the capture - Physical, VMSwitch or Both") : Amended ToSubclass] uint8 CaptureType; [Description("Specifies if the capture is required at each possible layer in the target networking stack, or just the default layer. For a VMSwitch, the filter is installed at the top of the extension stack by default. For a physical network adapater, the filter is installed just above the miniport.") : Amended ToSubclass] boolean MultiLayer; [Description("Specifies MAC Addresses or LinkLayerAddress for filtering") : Amended ToSubclass] string LinkLayerAddress[]; [Description("Specifies the EtherType for filtering") : Amended ToSubclass] uint16 EtherType[]; [Description("Specifies the IP Addresses(V4/V6) for filtering") : Amended ToSubclass] string IPAddresses[]; [Description("Specifies the IP Protocols for filtering") : Amended ToSubclass] uint8 IPProtocols[]; [Description("Specifies the packet truncation length in bytes. The default is 128. The minimum is 14. The value of zero disables truncation.") : Amended ToSubclass] uint16 TruncationLength; [Description("Specifies the direction of the traffic to be captured when Vm Targets are added - Ingress, Egress or IngressAndEgress.") : Amended ToSubclass] uint8 VmCaptureDirection; }; [Description("This class encapsulates an ETW provider on a computer for the event capture") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventProvider : MSFT_NetEventProviderBase { }; [Description("This class encapsulates an ETW capture session on a computer.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventSession : CIM_LogicalElement { [Description("The friendly name of the session.") : Amended ToSubclass] string Name; [key,Description("Guid, the unique Id of the session") : Amended ToSubclass] string Guid; [Description("The mode of the capture - SaveToFile, RealtimeRPC, RealtimeLocal.") : Amended ToSubclass] uint8 CaptureMode; [Description("The local filename to which event capture traces will be written to. Only valid when CaptureMode equals SaveToFile") : Amended ToSubclass] string LocalFilePath; [Description("The maximum size of the local file to which event capture traces will be written to, in MB. Only valid when CaptureMode equals SaveToFile. Minimum value is 1. When set to 0, there is no limit on the file size.") : Amended ToSubclass] uint32 MaxFileSize; [Description("The trace buffer size for the ETW session. The value range is 1KB to 1024KB.") : Amended ToSubclass] uint32 TraceBufferSize; [Description("The maximum number of trace buffers used for the ETW session.") : Amended ToSubclass] uint8 MaxNumberOfBuffers; [Description("The current status of the Session - Running, Stopped, Failed") : Amended ToSubclass] uint8 SessionStatus; [Description("Starts the event capture, applying the session configuration") : Amended ToSubclass] uint32 Start(); [Description("Stops the event capture") : Amended ToSubclass] uint32 Stop(); }; [Description("This class encapsulates an association between a session and a provider") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventSession_Provider : CIM_Component { [key,Description("Identifies the session") : Amended ToSubclass] MSFT_NetEventSession Ref GroupComponent; [key,Description("Identifies the provider") : Amended ToSubclass] MSFT_NetEventProvider Ref PartComponent; }; [Description("This class encapsulates a VM Network Adapter, that corresponds to a port on a virtual switch, on which the traffic is to be captured.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventVmNetworkAdapter : MSFT_NetEventPacketCaptureTarget { [Description("The MacAddress or the LinkLayerAddress of the VM Network Adapter.") : Amended ToSubclass] string MacAddress; [Description("The name of the virtual switch the VM network adapter is connected to.") : Amended ToSubclass] string SwitchName; [Description("The port name of the VM network adapter.") : Amended ToSubclass] string PortName; [Description("The name of the virtual machine that the VM network adapter belongs to.") : Amended ToSubclass] string VMName; [Description("The Id of the virtual machine that the VM network adapter belongs to.") : Amended ToSubclass] string VMId; }; [Description("Encapsulates a Virtual Switch on the hyper-v host, on which the traffic is to be captured.") : Amended ToSubclass,AMENDMENT, LOCALE("MS_409")] class MSFT_NetEventVmSwitch : MSFT_NetEventPacketCaptureTarget { };