Menu
I am trying to capture real time data on TCP connections on a machine using ETW and the Microsoft-Windows-TCPIP provider and the Microsoft TraceEvent Library.
One of the values you can get from this is the TCB which is a number.
I know what a TCB is (Transmission Control Block) but I've no idea what the number means, the best I've been able to find from the manifest is this is a pointer.
What I would really like to do is use this to read the actual TCB and get out the address that it is connecting too. I know I can get an address from the connect and rundown events but for various reasons I may not always have these and the send events only contain the TCB.
Edit:
I found a number of APIs that allow you to read the TCB tables https://msdn.microsoft.com/en-us/library/windows/desktop/aa366026(v=vs.85).aspx
However what I would really like to do is used the TCB number that comes back from ETW to then call an API and get the TCB info
Additional Edit:
I want to use the process and thread IDs in the ETW event to determine what address the process and thread are talking to.
Additional Edit:
Everything works when I can get the connection event that has the addressees and ports, I can tie it up to the subsequent sends and disconnects using the TCB number. I need a solution for specific cases where I don't have the connection event, only a send.
700
You were saying that you want to tie the connections to the specific threads/process in the comment. For this, you can use TCB as a reference to get all events for a TCP connection. After the 3-way handshakes, you can find the Source/Destination IP/Port tuple in the ConnConnect event from Http stack. Then you can find the process that listens the port.
You can also try to correlate with the web server events (such as IIS) to find more info.
93
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
