Network Activity
-
MSO-Scripts gathers and correlates key ETW events from common network providers:
TCP/IP, WinSock, WinHTTP, LDAP, WinINet, URLMon, Chromium, DNS -
It also stitches together symbolic call stacks across various threads to identify the native code which originated each network connection.
-
A WPA add-in organizes the data into a timeline and activity table.
- Download and unzip MSO-Scripts.
-
MSO-Scripts\
BETA\TraceNetwork Start
Launch the app. Exercise the code. -
MSO-Scripts\
BETA\TraceNetwork Stop -
MSO-Scripts\
BETA\TraceNetwork View
List all options:
-
MSO-Scripts\
BETA\TraceNetwork -?
Important
If the PowerShell script does not run, you can instead run the Batch script: MSO-Scripts\BETA\TraceNetwork.BAT ...
See: What if I can't run PowerShell scripts in my environment?
Note
MSO-Scripts has two scripts named TraceNetwork, one in the root folder and one in the BETA folder.
These two scripts collect the same data, but BETA\TraceNetwork View uses a special WPA plug-in to easily analyze network activity.
Windows and many of its applications, such as Microsoft Office, use WinHTTP, WinINet, and related services to communicate via network/internet.
These and most every other Windows-based network service are built on top of WinSock, which communicates via the TCP/IP layer.
---
title: Simplified Network Layer Diagram
---
flowchart TD;
WinSock-->TCP/IP
WinHTTP-->WinSock
WinINet-->WinSock
LDAP-->WinSock
Chromium-->WinSock
TCP/IP-.->Network{{Network / Internet}}
MSO-Scripts gathers the essential ETW events from TCP/IP, WinSock, WinINet, WinHTTP and other providers to create (using a custom WPA plugin) a detailed, correlated timeline and table of network activity:
- Server / DNS Name(s)
- URL
- IP Address & Port
- Protocol & Method
- Bytes sent/received
- Start Time & Duration
- Process & Threads
Note
Network traces collected on a pre-Windows 10 OS may not work with the custom plug-in loaded by BETA\TraceNetwork View ...
In that case use the non-BETA version of TraceNetwork, which exposes network activity in a different way..
The Chromium network engine is able to emit ETW events related to its activity, including URLs.
However, these events do not correlate well with the other, underlying ETW Network providers,
and therefore they are not processed by the WPA add-in, and they do not show up in the "NetBlame URL Table" tab.
(In that tab, under the Browser process, you will still find the underlying WinSock and TcpIp events, which do not reveal the URLs.)
To view Chromium's URLs and related activity, here are three options:
- Use the "Chromium Events" tab (from the command:
BETA\TraceNetwork View).
This view uses a Regions of Interest specification to organize a subset of Chromium events in a useful way. - Use the experimental TraceEdgeChrome script to capture an alternate trace of Edge / Chrome / WebView2 activity.
- Optional: Close the Edge / Chrome Browser and kill all its processes:
TaskKill /f /im MSEdge.exeor Chrome.exe, etc. -
MSO-Scripts\
BETA\TraceEdgeChrome Start -JS - Launch and exercise the browser.
-
MSO-Scripts\
BETA\TraceEdgeChrome Stop -
MSO-Scripts\
BETA\TraceEdgeChrome View
This view has two charts/tables:
a. Annotated Generic Events: In the 'Annotation' column find the "URL" annotation for the process of interest.
(The URL itself is usually in Field 3 or 4.)
b. Regions of Interest: Corresponding Begin/End events are paired and charted to show elapsed time.
- Optional: Close the Edge / Chrome Browser and kill all its processes:
- Load the alternate WPA View Profile: Profiles > Apply > Browse > ...
MSO-Scripts\BETA\WPAP\MSEdge.wpaProfile(the default view forTraceEdgeChrome)
a. Lists generic Browser events, where URL-bearing events are annotated: "URL"
b. Corresponding Begin/End events are paired and charted to show elapsed time.
MSO-Scripts\WPAP\EdgeRegions.wpaProfile(a default view forTraceNetwork)
a. Organizes a subset of Chromium events in a useful way.
Note
Stack walk information for Chromium events is available in the 'Generic Events' tables in the MSEdge.wpaProfile view profile (the default view profile for the TraceEdgeChrome script).
- Ensure: Trace > Load Symbols
- Enable the 'Stack' column (Ctrl-E)
- See also Symbol Resolution: JavaScript
Each event which creates a network request registers the flow of code which led to that event, i.e. a call stack (stackwalk) on that execution thread. However, network events are usually scheduled on one execution thread to occur soon thereafter on another thread. There may be many threads involved in the scheduling chain.
MSO-Scripts captures the activity of the Windows and Office Thread Pools, and stitches them together to reveal the chain of events, even as far back as WinMain (app launch). To view these execution stacks, enable any of these four columns in the "NetBlame URL Table" tab via WPA's View Editor (ctrl+E):
- First Stack: the earliest available call stack which initiated the network request, nearest to WinMain.
- Last Stack: the call stack of the actual network request (often dispatched in a pool thread).
- Middle Stacks: an aggregation of call stacks (if any) between the First and Last Stack.
- Full Stacks: the aggregation of all call stacks leading to the network request, First + Middle + Last.
Note
Stackwalking works on all platforms: Native (C, C++), Managed (C#, CLR with Start -CLR), and JavaScript (V8, Chakra with Start -JS).
However, stack chaining works only with Native code using the Windows and/or Office Thread Pools.
Note
In the current version of the NetBlame add-in for WPA, when there is exactly one thread's call stack leading to a network request, it appears in both columns: First Stack and Last Stack. This can be useful in some scenarios, confusing in others.
See Also