Network Activity - microsoft/MSO-Scripts GitHub Wiki

• MSO-Scripts gathers and correlates key ETW events from common network providers:
  TCP/IP, WinSock, WinHTTP, LDAP, WinINet, URLMon, Chromium, DNS

• It also stitches together symbolic call stacks across various threads to identify the native code which originated each network connection.

• A WPA add-in organizes the data into a timeline and activity table.

• Download and unzip a Release of MSO-Scripts.
  (If you cloned the repository, you'll need to build the WPA plug-in.)
• MSO-Scripts\BETA\TraceNetwork Start
  Launch the app. Exercise the code.
• MSO-Scripts\BETA\TraceNetwork Stop
• MSO-Scripts\BETA\TraceNetwork View

List all options:

• MSO-Scripts\BETA\TraceNetwork -?

Windows and many of its applications, such as Microsoft Office, use WinHTTP, WinINet, and related services to communicate via network/internet.
These and most every other Windows-based network service are built on top of WinSock, which communicates via the TCP/IP layer.

---
title: Simplified Network Layer Diagram
---
flowchart TD;
   WinSock-->TCP/IP
   WinHTTP-->WinSock
   WinINet-->WinSock
   LDAP-->WinSock
   Chromium-->WinSock
   TCP/IP-.->Network{{Network / Internet}}

MSO-Scripts gathers the essential ETW events from TCP/IP, WinSock, WinINet, WinHTTP and other providers to create (using a custom WPA plugin) a detailed, correlated timeline and table of network activity:

• Server / DNS Name(s)
• URL
• IP Address & Port
• Protocol & Method
• Bytes sent/received
• Start Time & Duration
• Process & Threads

The Chromium network engine is able to emit ETW events related to its activity, including URLs.
However, these events do not correlate well with the other, underlying ETW Network providers, and therefore they are not processed by the WPA add-in, and they do not show up in the "NetBlame URL Table" tab. (In that tab, under the Browser process, you will still find the underlying WinSock and TcpIp events, which do not reveal the URLs.)

To view Chromium's URLs and related activity, here are three options:

1. Use the "Chromium Events" tab (from the command: BETA\TraceNetwork View).
       This view uses a Regions of Interest specification to organize a subset of Chromium events in a useful way.
2. Use the experimental TraceEdgeChrome script to capture an alternate trace of Edge / Chrome / WebView2 activity.
   • Optional: Close the Edge / Chrome Browser and kill all its processes: TaskKill /f /im MSEdge.exe or Chrome.exe, etc.
   • MSO-Scripts\BETA\TraceEdgeChrome Start -JS
   • Launch and exercise the browser.
   • MSO-Scripts\BETA\TraceEdgeChrome Stop
   • MSO-Scripts\BETA\TraceEdgeChrome View
     This view has two charts/tables:
     a. Annotated Generic Events: In the 'Annotation' column find the "URL" annotation for the process of interest.
         (The URL itself is usually in Field 3 or 4.)
     b. Regions of Interest: Corresponding Begin/End events are paired and charted to show elapsed time.
3. Load the alternate WPA View Profile:     Profiles > Apply > Browse > ...
   MSO-Scripts\BETA\WPAP\MSEdge.wpaProfile   (the default view for TraceEdgeChrome)
           a. Lists generic Browser events, where URL-bearing events are annotated: "URL"
           b. Corresponding Begin/End events are paired and charted to show elapsed time.
   MSO-Scripts\WPAP\EdgeRegions.wpaProfile   (a default view for TraceNetwork)
           a. Organizes a subset of Chromium events in a useful way.

Each event which creates a network request registers the flow of code which led to that event, i.e. a call stack (stackwalk) on that execution thread. However, network events are usually scheduled on one execution thread to occur soon thereafter on another thread. There may be many threads involved in the scheduling chain.

MSO-Scripts captures the activity of the Windows and Office Thread Pools, and stitches them together to reveal the chain of events, even as far back as WinMain (app launch). To view these execution stacks, enable any of these four columns in the "NetBlame URL Table" tab via WPA's View Editor (ctrl+E):

• First Stack: the earliest available call stack which initiated the network request, nearest to WinMain.
• Last Stack: the call stack of the actual network request (often dispatched in a pool thread).
• Middle Stacks: an aggregation of call stacks (if any) between the First and Last Stack.
• Full Stacks: the aggregation of all call stacks leading to the network request, First + Middle + Last.

• If you downloaded and unzipped a Release of MSO-Scripts, then you're good to go!

  Simply run: MSO-Scripts\BETA\TraceNetwork View

  TraceNetwork will automatically find the plug-in in this folder: MSO-Scripts\BETA\ADDIN

• If you installed MSO-Scripts in one of these ways:

  • Cloned the repository: https://github.com/microsoft/MSO-Scripts.git
  • Downloaded and unzipped the repository source
  • Downloaded and unzipped the source code of a Release

  ...then you will need to build the 'NetBlame' plug-in:

  1. Ensure that the .NET developer platform (dotnet.exe) is installed.
  2. On a command-line within the NetBlame folder, run: dotnet.exe build -c Release

  TraceNetwork will automatically find the plug-in under this folder: MSO-Scripts\NetBlame\bin\Release

Credit

Information in the GeoLocation column comes from GeoPlugin, and includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

See Also

• Network Activity: Deep Dive (YouTube)
  
• Introduction to Network Trace Analysis
  
• Symbol Resolution