8

I am trying to capture real time data on TCP connections on a machine using ETW and the Microsoft-Windows-TCPIP provider and the Microsoft TraceEvent Library.

One of the values you can get from this is the TCB which is a number.

I know what a TCB is (Transmission Control Block) but I've no idea what the number means, the best I've been able to find from the manifest is this is a pointer.

What I would really like to do is use this to read the actual TCB and get out the address that it is connecting too. I know I can get an address from the connect and rundown events but for various reasons I may not always have these and the send events only contain the TCB.

Edit:

I found a number of APIs that allow you to read the TCB tables https://msdn.microsoft.com/en-us/library/windows/desktop/aa366026(v=vs.85).aspx

However what I would really like to do is used the TCB number that comes back from ETW to then call an API and get the TCB info

Additional Edit:

I want to use the process and thread IDs in the ETW event to determine what address the process and thread are talking to.

Additional Edit:

Everything works when I can get the connection event that has the addressees and ports, I can tie it up to the subsequent sends and disconnects using the TCB number. I need a solution for specific cases where I don't have the connection event, only a send.

Mant101
  • 2,705
  • 1
  • 23
  • 27
  • [TraceEvent lib](https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/) has parser for TCPIP data. look if this helps – magicandre1981 Feb 01 '18 at 16:30
  • Thats what I am using (I'll update the question), I ask it for the value of TCB from the payload and get back a number. No idea what that number actually represents or how to use it to get the TCB. – Mant101 Feb 01 '18 at 16:46
  • It is not very obvious why ETW is desirable. In C# this is wrapped well by the System.Net.NetworkInformation namespace. Look at TcpConnectionInformation and TcpStatistics. – Hans Passant Feb 20 '18 at 18:04
  • We are using ETW to get real time connection information to tie the connections to specific threads and processes. Neither of those classes help with this, although its helpful to know about them. – Mant101 Feb 21 '18 at 11:35
  • See https://github.com/Siemens-Healthineers/ETWAnalyzer/blob/main/ETWAnalyzer/Extractors/TCP/TCPExtractor.cs how to correlate Connection and rundown Events. The rundown events get you all running Connections with Tcb, pid and the endpoints. What I am still missing ist how TCP Port sharing works. Do you have a way how to get the real process? – Alois Kraus Mar 08 '23 at 21:05

2 Answers2

1

You were saying that you want to tie the connections to the specific threads/process in the comment. For this, you can use TCB as a reference to get all events for a TCP connection. After the 3-way handshakes, you can find the Source/Destination IP/Port tuple in the ConnConnect event from Http stack. Then you can find the process that listens the port.

You can also try to correlate with the web server events (such as IIS) to find more info.

Yu Xie
  • 11
  • 2
  • I'm already trying to get all the events for the particular process using a TCB, however as I said I can't rely on getting the the connection event, I may only have a send event with just gives me a Pid, Tid and TCB. I'm not sure what you mean by getting event "from Http stack" is this an ETW event? If not what API are you talking about? – Mant101 Feb 21 '18 at 14:46
  • Yes, it's also an ETW event, in the Microsoft-Windows-HttpService provider. – Yu Xie Feb 22 '18 at 04:39
  • You can get metadata for providers following https://msdn.microsoft.com/en-us/library/windows/desktop/dd996925(v=vs.85).aspx#get. The ConnConnect event contains the ip and port. You'll need to use the ActivityId to correlate with TCP events that also contains the Http ActivityId though. One way to understand the events is to monitor a particular connection – Yu Xie Feb 22 '18 at 04:46
  • I know about the metadata providers thanks, they aren't helpful on what the TCB number is. I can currently get all events for a connection and tie them together but there are some circumstances where I will not have the connection event. I had a look at the HttpService provider but that connection event doesn't give anything more than TCPIP connection event so doesn't help, plus I need to see non HTTP TCP connections. – Mant101 Feb 22 '18 at 10:48
0

worth checking out how perfview gets the ETW Manifest converted into .net objects. This should at least give you an idea of all of the objects that are available. You'll see there are a lot of numbers related to TCB so this will probably help you work out which one you want.

The other thing worth trying is capturing a network trace using Microsoft Message Analyzer. The analyzers here are great and you'll get to see various TCB values as values for distinct objects.

I've never done a trace from within Message Analyzer (still learning) but this has been quite a handy capture method for me. the resulting file you can open up in Microsoft Message Analyzer:

netsh trace start capture=yes provider=Microsoft-Windows-TCPIP level=0x05 tracefile=TCPIP.etl

Note: try to keep your captures as short as possible as Message Analyzer seems to need to do a lot of processing for each GUI action which makes it pretty slow

g0pher
  • 59
  • 8
  • Perfview tells me that the TCB value is a pointer. It doesn't indicate to what so isn't very useful. Microsoft Message Analyzer just gives me TCB as a number. – Mant101 Feb 15 '18 at 16:07
  • you've probably already seen this, but is it an address/pointer for the TCB item in the non-paged pool? http://smallvoid.com/article/winnt-tcpip-max-limit.html. In my experience perfview often returns values as Hex where Message Analyzer returns them as Int whcih makes it less obvious that its a memory address. Am quite interested in what you find out re this as im working on some testing myself and a full non-paged pool could be one of the issues.. If you do get a solution please do post back. Microsoft documentation at this level is pretty much nonexistent sadly.. – g0pher Feb 16 '18 at 09:19