How to measure the TCP/IP overhead without sniffing?

Question

I'm wondering whether there is a programmatic way to obtain a measure of the full bandwidth used when sending data through a TCP stream. Since I cannot seem to know how the network stack would divide the stream into packets, or when it sends a TCP SYN or ACK or many of the things it does in the background for you, I can only get a rough estimate for this.

The only solution I can think of is to actually sniff the interface, but I would like to think that the stack can already collect this stats for me.

This is running in Java under either Windows or Linux (of course, a portable solution would be preferred), but I can JNI-ize a C/C++ answer so that (and OS API calls) is a fine answer too. Thank you!

Answer 1

[Windows specific answer]

On Windows you can consider looking at ETW (Event Tracing for Windows). In general, ETW is the technology used to provide tracing/logging information on Windows, and most Microsoft software is already instrumented with ETW providers that you can use. In your case, I think the Microsoft-Windows-TCPIP provider has information (e.g. local/remote address and port, operation, bytes sent/received, etc) that might be helpful for you.

For example, I was able to start collecting the TCPIP events to a file using the command:

logman start MyTcpipLog -p Microsoft-Windows-TCPIP -ets

And stop with

logman stop MyTcpipLog -ets

Then the MyTcipipLog.etl file can be opened using a number of different tools (e.g. xperf), but there are APIs that you can use to parse this file yourself.

If you wanted to be doing this at runtime, you can create a "real-time" ETW session to process the events as they come in.

If you're new to ETW, here's a helpful article on MSDN that I used.