I'm trying to get socket connections data for analysis from the Microsoft-Windows-Winsock-AFD publisher on both Windows host machine and docker container. But it seems like that these events are unavailable on container environment whilst it's available on host machine.
Here is the steps I've done to collect the ETW events:
logman start -ets WinsockSession -o winsock.etl -p Microsoft-Windows-Winsock-AFD
curl --output index.html --url google.com
logman stop -ets WinsockSession
tracerpt winsock.etl -o winsock.txt
On docker, I've only got 2 events from GUID {9e814aad-3204-11d2-9a82-006008a86939}, seems like it is the events to configure the recording session and that's it, there is no other event captured from Winsock-AFD.
System I used to test:
- Host: Windows 11 newest update.
- Container:
mcr.microsoft.com/windows/servercore:ltsc2019
For additional information, I use logman just for demonstration of the issue. I actually got this issue while implementing a Socket Monitor program to check whether a spicific process had tried to connect to the internet. The program uses the Microsoft.Diagnostics.Tracing library which comes from the perfview project.
According to this: http://htmlpreview.github.io/?https://github.com/Microsoft/perfview/blob/master/src/PerfView/SupportFiles/UsersGuide.htm#WindowsContainers Windows container has support for ETW since v1803, so I expect the image I used should have ETW support too.
I've also tried several other ETW publishers like: Microsoft-Windows-TCPIP, Microsoft-Kernel-Network... but none seems to work.
I'm very frustrating with this as there is very little reference/documentation on this.
I'd really appreciate any help. Thank you for reading!
