top of page

Process Monitor: TCP/IP tracing, Process ID and Thread ID

It's great to be able to match up Wireshark and Process Monitor traces, but we need to be aware of a few quirky aspects to tracing TCP events in procmon.

In this week's video we discover that procmon actually logs a trace entry upon completion of a TCP operation, and that the point at which this occurs is not obvious.

A few additional points of note:

  • ntkrnlpa.exe is a 32-bit version of the Windows kernel that supports the PAE memory extension

  • The entry at the top of the stack isn't the final action but the point where the procmon data is geneated (in fact an ETW event)

  • The time stamp on Wireshark trace entries for packets received and ACKs doesn't precisely those of the matching procmon entries - they can differ by as much as 20 ms (I'll cover this in another blog)

It's well worth using procmon because it can give you just enough extra visibilty to find the root cause of a performance problem or intermittent error.

Best regards...Paul

bottom of page