I've been playing around with Event Tracing for Windows events, the networking events, NDIS-PacketCapture and TCPIP in particular. Each ETW message has the PID field and I'm trying to figure out the logic behind the assignment. It seems that the vast majority of TCPIP events have the correct PID in the PID field and the majority of NDIS-Packet capture as well. However, there are many instances, perhaps 30%, where the PIDs are obviously incorrect. Some of these incorrect PID information are false-positives and some false-negatives. For example, it will miss that certain packets coming from Chrome and it'll just assign PID 0 to that case (false negative). Sometimes I get PID of the application I'm running to catch these events in the the PID field (false positive). As far as I can analyze, there is no way to determine whether an ETW event contains correct or incorrect information by looking at any other header/property info.
Another interesting thing to note is that some TCPIP events contain a "PID" property that sometimes agrees with the PID in the header. This "PID" property seems to be more accurate than the header PID but it still exhibits false-positives and false-negatives.
Am I seeing a bug? Am I not understanding the purpose of the PID field in ETW messages? Are these providers just choosing to put in garbage whenever they feel like it?
I'm using the Win32/64 trace functions in C++ such as StartTrace, EnableTraceEx2, OpenTrace, and the ProcessEventRecordProperties(PEVENT_RECORD pEvent) callback, etc. More specifically, I've modified this example to give me NDIS-PacketCapture and TCPIP events: http://msdn.microsoft.com/en-us/library/windows/desktop/ee441329(v=vs.85).aspx
This is what all values of a typical TCPIP event looks like (I'm using xxx.. for IP and port numbers)
------------------Processing Event Record ------------------
Event HEADER (size=136) flags=64bit, type=none
pid=7576 tid=5236 eid=1300
Time: sys=3 usr=2
Event PROVIDER {2f07e2ee-15db-40f1-90ef-9d7ba282188a}
Event ACTIVITY {0ff3b670-fa80-ffff-0000-000000000000}
Provider name: Microsoft-Windows-TCPIP
Provider GUID: {2F07E2EE-15DB-40F1-90EF-9D7BA282188A}
Event message: TCP: connection %1 (local=%3 remote=%5) exists. State = %6. PID = %7.
Keyword mask: 0x8000080400000084
Keyword name: ut:TcpipTcb
Keyword name: ut:TcpipDiagnosis
Keyword name: ut:ConnectPath
Keyword name: ut:Endpoint
Event ID: 1300
Tcb: 0xff3b670
LocalAddressLength: 16
LocalAddress:
xxx.xxx.xxx.xxx:xxxx
RemoteAddressLength: 16
RemoteAddress:
xxx.xxx.xxx.xxx:xxxx
State: EstablishedState
Pid: 7152
Any help is greatly appreciated.
