Process Monitor: Matching Wireshark and Procmon Traces
The combination of Wireshark and procmon is pretty formidable; Wireshark for watching what's going on between networked system components, and procmon for seeing what's going on inside them (at least for those running Windows).
Matching procmon network entries with Wireshark traces can at first seem very frustrating, but actually once you know a few tips and tricks it's pretty straightforward.
In this video blog we learn about the quirky procmon timestamp, and how we can use timestamps and TCP Length values to match trace entries.
Although the timestamp difference between procmon TCP Receive events and matching Wireshark packets can vary from capture to capture, during a single capture the value will probably be pretty constant.
This Excel clip is taken from a study of a DFS problem. The Time of Day in the first column is from procmon and that in the last column from Wireshark. The PM to Net Delta column shows that we get a pretty constant 52 to 54 ms difference between the two.