Login/Register
how to count bytes sent and received per TCP connection (system-wide)?
Asked Answered
Solved windowswinapinetwork-programming
S

6

14

e.g. recent versions of TCPView has such functionality: showing bytes sent/received per TCP connection (counting starts when TCPView is launched). is it possible w/o packet sniffering? does windows provides any API for this? I haven't found such Performance Counter

how to enumerate all connections are described here

EDIT: does TDI help to receive per-socket transfer statistics? NetBIOS? any links where to dig?

Shuma answered 16/1, 2011 at 12:20 Comment(5)
I have this question as a favorite, I won't provide this answer, but simply a comment to guide, but have you looked at msdn.microsoft.com/en-us/library/aa394291%28v=vs.85%29.aspx ?Carsick
@Anders: as I got, it's system wide info, not per TCP connection, right?Shuma
Seems that way. Have you found anything else?Carsick
I googled and found this question because TCPView is not showing me sent/received bytes in 64 bit Win7. Several other people have reported this but no solution has ever been posted. Since you guys are elbows deep in the internals, any ideas why this could be happening?Babbage
I don't find this functionality, could you show me which version is?Treblinka
N
4

I want to implement this function also, so I reverse tcpview 3.0.2.

I found, tcpview use a WMI performance counter MSNT_TcpIpInformation.

But MSNT_TcpIpInformation is not supported in xp and 2003 officially.

here is the description, you can reference to. http://www.scriptinternals.com/new/us/support/Internal/WMI_MSNT_TcpIpInformation.htm

by the way, MSNT_TcpIpInformation have no information about packets, so tcpview just increment sent and revd packets everytime. here is the disassemble:

CPU Disasm
Address   Hex dump          Command                                           Comments
0040B41B  |.  83E8 02       SUB EAX,2                                         ; Switch (cases 2..3, 3 exits)
0040B41E  |.  74 29         JE SHORT 0040B449
0040B420  |.  83E8 01       SUB EAX,1
0040B423  |.  75 40         JNE SHORT 0040B465
0040B425  |.  8B57 1C       MOV EDX,DWORD PTR DS:[EDI+1C]                     ; Case 3 of switch Tcpview.40B41B
0040B428  |.  0196 90060000 ADD DWORD PTR DS:[ESI+690],EDX
0040B42E  |.  119E 94060000 ADC DWORD PTR DS:[ESI+694],EBX
0040B434  |.  8386 C0060000 ADD DWORD PTR DS:[ESI+6C0],1
0040B43B  |.  119E C4060000 ADC DWORD PTR DS:[ESI+6C4],EBX
0040B441  |.  5E            POP ESI
0040B442  |.  5F            POP EDI
0040B443  |.  5D            POP EBP
0040B444  |.  5B            POP EBX
0040B445  |.  83C4 3C       ADD ESP,3C
0040B448  |.  C3            RETN
0040B449  |>  8B47 1C       MOV EAX,DWORD PTR DS:[EDI+1C]                     ; Case 2 of switch Tcpview.40B41B
0040B44C  |.  0186 78060000 ADD DWORD PTR DS:[ESI+678],EAX
0040B452  |.  119E 7C060000 ADC DWORD PTR DS:[ESI+67C],EBX
0040B458  |.  8386 A8060000 ADD DWORD PTR DS:[ESI+6A8],1
0040B45F  |.  119E AC060000 ADC DWORD PTR DS:[ESI+6AC],EBX
0040B465  |>  5E            POP ESI                                           ; Default case of switch Tcpview.40B41B
0040B466  |.  5F            POP EDI
Namangan answered 26/1, 2011 at 10:11 Comment(3)
interesting. "is not supported in xp and 2003 officially". but it's supported, right? what about vista/w7?Shuma
from vista, windows provides some APIs for get every connections statistics. such as GetPerTcpConnectionEStats, GetUdpTcpConnectionEStats, you can get more information from MSDN.Namangan
@xjdrew: There is no GetPerUdpConnectionEStats() as far as I can tell. See also: https://mcmap.net/q/830435/-get-udp-connection-statistics-from-ip-helper-api-iphlpapi-dll/385513Drum
N
7

all, I have basically fully reverse tcpview 3.0.2 and implement the same feature as its according to what I have learnt.

tcpview use ETW for monitoring network activity.

The key APIs are StartTrace, OpenTrace, ProcessTrace.

Use the KERNEL_LOGGER_NAME and enable EVENT_TRACE_FLAG_NETWORK_TCPIP flags.

Then you can retrieve network activity data from EventCallback, then parse it as TcpIp_TypeGroup1 and other structures. According to the document, these structures are only supported from vista. However you can call and use it in xp(guess from reverse) and 2003(My environment is 2003, no test on xp). Certainly you have to define all these structures by yourself.

From vista, win provides some APIs for retrieving every connections statistic information. Such as GetPerTcpConnectionEStats, GetPerUdpConnectionEStats, you can get more details from MSDN.

Also, from vista, you can use RAW Socket to finish the same work(more precise I think). Before vista, RAW Socket can't retrieve SEND packets, it's a pity.

Namangan answered 16/1, 2011 at 12:21 Comment(0)
N
4

I want to implement this function also, so I reverse tcpview 3.0.2.

I found, tcpview use a WMI performance counter MSNT_TcpIpInformation.

But MSNT_TcpIpInformation is not supported in xp and 2003 officially.

here is the description, you can reference to. http://www.scriptinternals.com/new/us/support/Internal/WMI_MSNT_TcpIpInformation.htm

by the way, MSNT_TcpIpInformation have no information about packets, so tcpview just increment sent and revd packets everytime. here is the disassemble:

CPU Disasm
Address   Hex dump          Command                                           Comments
0040B41B  |.  83E8 02       SUB EAX,2                                         ; Switch (cases 2..3, 3 exits)
0040B41E  |.  74 29         JE SHORT 0040B449
0040B420  |.  83E8 01       SUB EAX,1
0040B423  |.  75 40         JNE SHORT 0040B465
0040B425  |.  8B57 1C       MOV EDX,DWORD PTR DS:[EDI+1C]                     ; Case 3 of switch Tcpview.40B41B
0040B428  |.  0196 90060000 ADD DWORD PTR DS:[ESI+690],EDX
0040B42E  |.  119E 94060000 ADC DWORD PTR DS:[ESI+694],EBX
0040B434  |.  8386 C0060000 ADD DWORD PTR DS:[ESI+6C0],1
0040B43B  |.  119E C4060000 ADC DWORD PTR DS:[ESI+6C4],EBX
0040B441  |.  5E            POP ESI
0040B442  |.  5F            POP EDI
0040B443  |.  5D            POP EBP
0040B444  |.  5B            POP EBX
0040B445  |.  83C4 3C       ADD ESP,3C
0040B448  |.  C3            RETN
0040B449  |>  8B47 1C       MOV EAX,DWORD PTR DS:[EDI+1C]                     ; Case 2 of switch Tcpview.40B41B
0040B44C  |.  0186 78060000 ADD DWORD PTR DS:[ESI+678],EAX
0040B452  |.  119E 7C060000 ADC DWORD PTR DS:[ESI+67C],EBX
0040B458  |.  8386 A8060000 ADD DWORD PTR DS:[ESI+6A8],1
0040B45F  |.  119E AC060000 ADC DWORD PTR DS:[ESI+6AC],EBX
0040B465  |>  5E            POP ESI                                           ; Default case of switch Tcpview.40B41B
0040B466  |.  5F            POP EDI
Namangan answered 26/1, 2011 at 10:11 Comment(3)
interesting. "is not supported in xp and 2003 officially". but it's supported, right? what about vista/w7?Shuma
from vista, windows provides some APIs for get every connections statistics. such as GetPerTcpConnectionEStats, GetUdpTcpConnectionEStats, you can get more information from MSDN.Namangan
@xjdrew: There is no GetPerUdpConnectionEStats() as far as I can tell. See also: https://mcmap.net/q/830435/-get-udp-connection-statistics-from-ip-helper-api-iphlpapi-dll/385513Drum
S
3

Check the WinSock LSP Sample project at http://connect.microsoft.com/WNDP/Downloads

You will find a sample in nonifslsp\sockinfo.cpp which "illustrates how to develop a layered service provider that is capable of counting all bytes transmitted through a TCP/IP socket."

Siusiubhan answered 16/1, 2011 at 13:41 Comment(1)
+1: tnx, interesting info, still looking for something easierShuma
P
2

The sysinternals version of netstat (netstatp) does this. IIRC, it uses SNMP to gather its info. Search the net and find a version you're comfortable with. The file names are netstatp.c and netstatp.h
Sysinternals no longer publishes netstatp that I am aware of.

You can also go here and get tcpview and/or tcpconv one of which is available in source form.

Purser answered 17/1, 2011 at 21:8 Comment(2)
+1. tnx for the info. I didn't find any code related with per-connection bytes sent/received in netstatp.c. tcpview is not available in source, and tcpconv doesn't provide such functionality. any additional info what to dig in SNMP?Shuma
@robin hood:Sorry, I cannot find the old code that sysinternals used to publish. The next time I go to my physical office I'll look to see if it's there. I know you can get the info from SNMP, but I do not know the OIDs.Purser
P
1

Have a look at the source code for BitMeterOS, it works on xp+. you many also want to look at TCPDump/Libpcap as well. both of these monitor network network traffic, libpcap will probably be what your after though

there is also Winpcap, a more windows orientated 'version', a simple tutorial on network traffic stats can be found here, you'll also be interested in this for filtering based on connection and this for the size of the raw packets.

Palette answered 26/1, 2011 at 10:58 Comment(2)
checked BitMetereOS, looks like its system-wide statistics, not per socket/connection. Winpcap: as I remember it doesn't capture loopback traffic. Pls correct meShuma
@Andy T: according to the FAQ, it doesn't, but thats a windows problem: winpcap.org/misc/faq.htm however, wireshark, which uses winpcap, has a method on how to do it: wiki.wireshark.org/CaptureSetup/Loopback though I'd just use a physical loop plug from work :PPalette
F
0

My best bet would be hooking the "send" API calls and recording the amount sent each time. Although this really doesn't seem worth it, I'm pretty sure it would work. Good luck!

Fridlund answered 16/1, 2011 at 21:22 Comment(3)
SetWindowsHookEx() can't hook send()Cantonment
Ah yea, I spoke too soon, sorry. Anyway, maybe you would have to look at kernel-mode code as that's where all send()'s end up.. just a thought.Fridlund
No, you shouldn't need to get your hands dirty in the kernel: you can hook send() using a layered protocol as a service provider within Windows Sockets, as Maxim's answer referred to.Cantonment

© 2022 - 2024 — McMap. All rights reserved.