Process Monitor: File Share Traffic

Continuing in our wander through the capabilities of procmon, this week we look at a Windows quirk that can cause confusion when analysing a trace.

I was investigating the intermittent slow loading of a PDF in a financial research management system. I'd spent ages carefully planning and managing the capture of a network and process monitor trace, and at last I had an example of the problem.

I started to look through the procmon trace and ... hang on, where are the TCP entries? I checked and rechecked the trace filters but I couldn't see what was wrong.

The explanation is quite simplewhen you know the answer. In this video we discover how to find SMB traffic in a procmon trace.

Here are links to the procmon and Wireshark traces, so that you can follow along with the video:

• procmon_file_share_access_short.PML - 64-bit

• procmon_file_share_access.pcapng

Why not also try matching the Wireshark trace entries to the procmon TCP entries using the information from the earlier blog?

Best regards...Paul