Imagotype-NetworkDataPedia (1)_edited.pn

NetworkDataPedia © 2018-2020  |  Editorial Team   |   Privacy Policies  |  Contact Us          Website built by DYCMarketing 

Process Monitor: TCP/IP tracing, Process ID and Thread ID

June 24, 2014

It's great to be able to match up Wireshark and Process Monitor traces, but we need to be aware of a few quirky aspects to tracing TCP events in procmon.

 

 

In this week's video we discover that procmon actually logs a trace entry upon completion of a TCP operation, and that the point at which this occurs is not obvious.

 

 

A few additional points of note:

  • ntkrnlpa.exe is a 32-bit version of the Windows kernel that supports the PAE memory extension

  • The entry at the top of the stack isn't the final action but the point where the procmon data is geneated (in fact an ETW event)

  • The time stamp on Wireshark trace entries for packets received and ACKs doesn't precisely  those of the matching procmon entries - they can differ by as much as 20 ms (I'll cover this in another blog)

It's well worth using procmon because it can give you just enough extra visibilty to find the root cause of a performance problem or intermittent error.

 

Best regards...Paul

 

Share on Facebook
Share on Twitter
Please reload

Sponsored By:

Viavi

Display_LoveMyTool_170x400.png
Recent Posts

November 12, 2019

Please reload