Network Activity
-
MSO-Scripts gathers and correlates key ETW events from common network providers:
TCP/IP, WinSock, WinHTTP, LDAP, WinINet, URLMon, Chromium, DNS -
It also stitches together symbolic call stacks across various threads to identify the native code which originated each network connection.
-
A WPA add-in organizes the data into a timeline and activity table.
-
MSO-Scripts\
BETA\TraceNetwork Start
Launch the app. Exercise the code. -
MSO-Scripts\
BETA\TraceNetwork Stop -
MSO-Scripts\
BETA\TraceNetwork View
List all options:
-
MSO-Scripts\
BETA\TraceNetwork -?
Windows and many of its applications, such as Microsoft Office, use WinHTTP, WinINet, and related services to communicate via network/internet.
These and most every other Windows-based network service are built on top of WinSock, which communicates via the TCP/IP layer.
---
title: Simplified Network Layer Diagram
---
flowchart TD;
WinSock-->TCP/IP
WinHTTP-->WinSock
WinINet-->WinSock
LDAP-->WinSock
Chromium-->WinSock
TCP/IP-.->Network{{Network / Internet}}
MSO-Scripts gathers the essential ETW events from TCP/IP, WinSock, WinINet, WinHTTP and other providers to create a detailed, correlated timeline and table of network activity:
- Server / DNS Name(s)
- URL
- IP Address & Port
- Protocol & Method
- Bytes sent/received
- Start Time & Duration
- Process & Threads
Each event which creates a network request registers the flow of code which led to that event, i.e. a call stack (stackwalk) on that execution thread. However, network events are usually scheduled on one execution thread to occur soon thereafter on another thread. There may be many threads involved in the scheduling chain.
MSO-Scripts captures the activity of the Windows and Office Thread Pools, and stitches them together to reveal the chain of events, even as far back as WinMain (app launch). To view these execution stacks, enable any of these four columns in WPA's View Editor (ctrl+E):
- First Stack: the earliest available call stack which initiated the network request, nearest to WinMain.
- Last Stack: the call stack of the actual network request (often dispatched in a pool thread).
- Middle Stacks: an aggregation of call stacks (if any) between the First and Last Stack.
- Full Stacks: the aggregation of all call stacks leading to the network request, First + Middle + Last.
Note
In the current version of the NetBlame add-in for WPA, when there is exactly one thread's call stack leading to a network request, it appears in both columns First Stack and Last Stack. This can be useful in some scenarios, confusing in others.
See also: Symbol Resolution
The Chromium network engine is able to emit ETW events related to its activity, URLs and the like.
However, these events are not currently able to correlate well with the other ETW providers.
Therefore they are exposed in a separate "Chromium Events" tab.