Continuing in our wander through the capabilities of procmon, this week we look at a Windows quirk that can cause confusion when analysing a trace.
I was investigating the intermittent slow loading of a PDF in a financial research management system. I'd spent ages carefully planning and managing the capture of a network and process monitor trace, and at last I had an example of the problem.
I started to look through the procmon trace and ... hang on, where are the TCP entries? I checked and rechecked the trace filters but I couldn't see what was wrong.
The explanation is quite simplewhen you know the answer. In this video we discover how to find SMB traffic in a procmon trace.
Here are links to the procmon and Wireshark traces, so that you can follow along with the video:
Why not also try matching the Wireshark trace entries to the procmon TCP entries using the information from the earlier blog?