Databases
StackOverflow2013
Postsdbo
POETW PID accuracy when coming from a kernel provider such as NDIS
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POETW PID accuracy when coming from a kernel provider such as NDIS
    text
    copied!<p>I've been playing around with Event Tracing for Windows events, the networking events, NDIS-PacketCapture and TCPIP in particular. Each ETW message has the PID field and I'm trying to figure out the logic behind the assignment. It seems that the vast majority of TCPIP events have the correct PID in the PID field and the majority of NDIS-Packet capture as well. However, there are many instances, perhaps 30%, where the PIDs are obviously incorrect. Some of these incorrect PID information are false-positives and some false-negatives. For example, it will miss that certain packets coming from Chrome and it'll just assign PID 0 to that case (false negative). Sometimes I get PID of the application I'm running to catch these events in the the PID field (false positive). As far as I can analyze, there is no way to determine whether an ETW event contains correct or incorrect information by looking at any other header/property info.</p> <p>Another interesting thing to note is that some TCPIP events contain a "PID" property that sometimes agrees with the PID in the header. This "PID" property seems to be more accurate than the header PID but it still exhibits false-positives and false-negatives.</p> <p>Am I seeing a bug? Am I not understanding the purpose of the PID field in ETW messages? Are these providers just choosing to put in garbage whenever they feel like it?</p> <p>I'm using the Win32/64 trace functions in C++ such as StartTrace, EnableTraceEx2, OpenTrace, and the ProcessEventRecordProperties(PEVENT_RECORD pEvent) callback, etc. More specifically, I've modified this example to give me NDIS-PacketCapture and TCPIP events: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ee441329(v=vs.85).aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/windows/desktop/ee441329(v=vs.85).aspx</a></p> <p>This is what all values of a typical TCPIP event looks like (I'm using xxx.. for IP and port numbers)</p> <pre><code>------------------Processing Event Record ------------------ Event HEADER (size=136) flags=64bit, type=none pid=7576 tid=5236 eid=1300 Time: sys=3 usr=2 Event PROVIDER {2f07e2ee-15db-40f1-90ef-9d7ba282188a} Event ACTIVITY {0ff3b670-fa80-ffff-0000-000000000000} Provider name: Microsoft-Windows-TCPIP Provider GUID: {2F07E2EE-15DB-40F1-90EF-9D7BA282188A} Event message: TCP: connection %1 (local=%3 remote=%5) exists. State = %6. PID = %7. Keyword mask: 0x8000080400000084 Keyword name: ut:TcpipTcb Keyword name: ut:TcpipDiagnosis Keyword name: ut:ConnectPath Keyword name: ut:Endpoint Event ID: 1300 Tcb: 0xff3b670 LocalAddressLength: 16 LocalAddress: xxx.xxx.xxx.xxx:xxxx RemoteAddressLength: 16 RemoteAddress: xxx.xxx.xxx.xxx:xxxx State: EstablishedState Pid: 7152 </code></pre> <p>Any help is greatly appreciated.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload