-
Notifications
You must be signed in to change notification settings - Fork 0
/
Program.cs
105 lines (90 loc) · 3.82 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
using System;
using System.Collections.Generic;
using System.Diagnostics.Tracing;
using Microsoft.Diagnostics.Tracing.Session;
using Microsoft.Diagnostics.Tracing;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Parsers.Kernel;
namespace PNetAnalyzer
{
class Program
{
static void ProcessSession()
{
using (var session = new TraceEventSession("DescosmosSession", "MyEventData.etl"))
{
session.EnableProvider("Microsoft-Windows-TCPIP");
System.Threading.Thread.Sleep(10000);
}
}
static void ProcessComsumer()
{
using (var source = new ETWTraceEventSource("MyEventData.etl"))
{
var kernelParser = new KernelTraceEventParser(source);
// Subscribe to a particular Kernel event
kernelParser.ProcessStart += delegate (ProcessTraceData data) {
Console.WriteLine("Process {0} Command Line {1}",
data.ProcessName, data.CommandLine);
};
// Set up the callbacks
/*
source.Dynamic.All += delegate (TraceEvent data) {
Console.WriteLine("GOT EVENT {0}", data);
Console.WriteLine("\n");
};
*/
source.Process(); // Invoke callbacks for events in the source
}
}
static void CaptureNetworkCommnunication()
{
var etwSession = new TraceEventSession("DescosmosTcpSession");
etwSession.EnableKernelProvider(KernelTraceEventParser.Keywords.NetworkTCPIP);
var targetPid = 14496;
etwSession.Source.Kernel.UdpIpSend += data =>
{
//Console.WriteLine(String.Format("ProcessId: {0} data.saddr: {1}", data.ProcessID, data.saddr.ToString()));
if (data.ProcessID == targetPid)
{
var rData = data.size;
Console.WriteLine(String.Format("<UdpIpSend> pid: {0}, daddr: {1}, rData: {2}", data.ProcessID, data.daddr, data.size));
}
};
etwSession.Source.Kernel.UdpIpRecv += data =>
{
//Console.WriteLine(String.Format("ProcessId: {0} data.saddr: {1}", data.ProcessID, data.saddr.ToString()));
if (data.ProcessID == targetPid)
{
var rData = data.size;
Console.WriteLine(String.Format("<UdpIpRecv> pid: {0}, daddr: {1}, rData: {2}", data.ProcessID, data.daddr, data.size));
}
};
etwSession.Source.Kernel.TcpIpSend += data =>
{
//Console.WriteLine(String.Format("ProcessId: {0} data.saddr: {1}", data.ProcessID, data.saddr.ToString()));
if (data.ProcessID == targetPid)
{
var rData = data.size;
Console.WriteLine(String.Format("<TcpIpSend> pid: {0}, daddr: {1}, rData: {2}", data.ProcessID, data.daddr, data.size));
}
};
etwSession.Source.Kernel.TcpIpRecv += data =>
{
//Console.WriteLine(String.Format("ProcessId: {0} data.saddr: {1}", data.ProcessID, data.saddr.ToString()));
if (data.ProcessID == targetPid)
{
var rData = data.size;
Console.WriteLine(String.Format("<TcpIpRecv> pid: {0}, daddr: {1}, rData: {2}", data.ProcessID, data.daddr, data.size));
}
};
etwSession.Source.Process();
}
static void Main(string[] args)
{
//ProcessSession();
//ProcessComsumer();
CaptureNetworkCommnunication();
}
}
}