To enable the kernel logger and have it generate a log file of TCP/IP activity, follow these steps:
Run the Performance Monitor, and click on Data Collector Sets, User Defined.
Right-click on User Defined, choose New, and select Data Collector Set.
When prompted, enter a name for the data collector set (for example, experiment), and choose Create Manually (Advanced) before clicking Next.
In the dialog box that opens, select Create Data Logs, check Event Trace Data, and then click Next. In the Providers area, click Add, and locate Windows Kernel Trace. In the Properties list, select Keywords(Any), and then click Edit.
From this list, select only Net for Network TCP/IP, and then click OK.
Click Next to select a location where the files are saved. By default, this location is C:\Perflogs\
Right-click on “experiment” (or whatever name you gave your data collector set), and then click Start. Now generate some network activity by opening a browser and visiting a web site.
Right-click on the data collector set node again, and then click Stop.
Open a command prompt, and change to the C:\Perflogs\experiment\00001 directory (or the directory into which you specified that the trace log file be stored).
Run
Open dumpfile.csv in Microsoft Excel or in a text editor. You should see TCP and/or UDP trace records like the following:
TcpIp
SendIPV4
0xFFFFFFFF
1.28663E+17
0
0
1992
1388
157.54.86.28
172.31.234.35
80
49414
646659
646661
UdpIp
RecvIPV4
0xFFFFFFFF
1.28663E+17
0
0
4
50
172.31.239.255
172.31.233.110
137
137
0
0x0
UdpIp
RecvIPV4
0xFFFFFFFF
1.28663E+17
0
0
4
50
172.31.239.255
172.31.234.162
137
137
0
0x0
TcpIp
RecvIPV4
0xFFFFFFFF
1.28663E+17
0
0
1992
1425
157.54.86.28
172.31.234.35
80
49414
0
0x0
TcpIp
RecvIPV4
0xFFFFFFFF
1.28663E+17
0
0
1992
1380
157.54.86.28
172.31.234.35
80
49414
0
0x0
TcpIp
RecvIPV4
0xFFFFFFFF
1.28663E+17
0
0
1992
45
157.54.86.28
172.31.234.35
80
49414
0
0x0
TcpIp
RecvIPV4
0xFFFFFFFF
1.28663E+17
0
0
1992
1415
157.54.86.28
172.31.234.35
80
49414
0
0x0
TcpIp
RecvIPV4
0xFFFFFFFF
1.28663E+17
0
0
1992
740
157.54.86.28
172.31.234.35
80
49414
0
0x0
Wow64
Wow64 (Win32 emulation on 64-bit Windows) refers to the software that permits the execution of 32-bit x86 applications on 64-bit Windows. It is implemented as a set of user-mode DLLs, with some support from the kernel for creating 32-bit versions of what would normally only be 64-bit data structures, such as the process environment block (PEB) and thread environment block (TEB). Changing Wow64 contexts through
Wow64.dll. Manages process and thread creation, and hooks exception-dispatching and base system calls exported by Ntoskrnl.exe. It also implements file-system redirection and registry redirection.
Wow64Cpu.dll. Manages the 32-bit CPU context of each running thread inside Wow64, and provides processor architecture-specific support for switching CPU mode from 32-bit to 64-bit and vice versa.
Wow64Win.dll. Intercepts the GUI system calls exported by Win32k.sys.
IA32Exec.bin and Wowia32x.dll on IA64 systems. Contain the IA-32 software emulator and its interface library. Because Itanium processors cannot natively execute x86 32-bit instructions in an efficient manner (performance is worse than 30 percent), software emulation (through binary translation) is required through the use of these two additional components.
The relationship of these DLLs is shown in Figure 3-31.
Wow64 Process Address Space Layout
Wow64 processes can run with 2 GB or 4 GB of virtual space. If the image header has the large-address-aware flag set, the memory manager reserves the user-mode address space above the 4-GB boundary through the end of the user-mode boundary. If the image is not marked as large address space aware, the memory manager reserves the user-mode address space above 2 GB. (For more information on large-address-space support, see the section “x86 User Address Space Layouts” in Chapter 10 in Part 2.)
System Calls
