2

I am trying to set up HTTP.SYS ETW traces from Event Tracing in HTTP.sys to capture the TLS/Cipher Suites data for my web server. When I look at the CSV or XML traces, I see a bunch of events related to the SSL handshake:

enter image description here

However, I don't find things like TLS Version, Cipher Suite, Exchange Strength, etc. Is it not available in ETW Traces? I could not find any useful documentation around this.

Shubham Sharma
  • 714
  • 1
  • 8
  • 18
  • 1
    TLS data can be found with Microsoft-Windows-WebIO provider – magicandre1981 Jun 01 '21 at 13:33
  • @magicandre1981 Can you please share any relevant documentation as to how can I decode the payload? I see things like: `"EnabledProtocols": 2720, "CipherConfig": 0, "CredHandleHigh": 1916664895168,"CredHandleLow": 1588831776064,`, but what do these mean? – Shubham Sharma Jun 02 '21 at 14:10
  • 1
    I used Perfview to search for web related providers. Look if you can generate [parsers with this tool](https://github.com/microsoft/perfview/tree/main/src/TraceParserGen) that you can use with TraceEvent – magicandre1981 Jun 02 '21 at 16:37

0 Answers0