14

I'd like to find out which processes are using my network. This is quite easy in Linux, but I'm stumped as to how to do this in Windows.

Essentially, I'd like, for each process, to know how many bytes it has read/written to the network over a time period. If I could know IP addresses/port numbers, etc., that would be awesome.

Any pointers? Windows Vista/Windows 2008 seem to be able to do this in Resource Monitor. How do they do it? What's the overhead?

I want to do this in my own code, so utilities (TCPView, PerfMon) aren't useful to me. I'd also like to have separate disk and network I/O counters, so the default performance counters aren't enough.

Windows XP, 2003, Vista, 2008 and 7 preferred. Win32 or COM OK.

Roger Lipscombe
  • 89,048
  • 55
  • 235
  • 380
  • From the answers so far, it looks like people think you're looking for a utility to do this with. Are you looking for a tool, or looking to program this yourself in your own app? I suggest clarifying, and letting us know what programming environment you're using if appropriate, etc. – Jay Mar 10 '09 at 14:34
  • I posted some POC code here https://stackoverflow.com/questions/44689482/how-to-monitor-process-network-usage-under-windows/55085910#55085910 for a similar question. – Malcolm Swaine Mar 19 '19 at 18:58

5 Answers5

4

After quite of research here's what I've come up with:

  1. There are a number of posts in various forums asking for this same info.
  2. The only possible programmatic solution I saw was to use Event Tracing for Windows (ETW). That would take a small book to explain/understand.
  3. The PERF counters, which can be obtained from the registry, are not Powershell friendly. They use data structures that are designed to be consumed by C/C++ programs. URL of a pretty complete example: http://msdn.microsoft.com/en-us/library/windows/desktop/aa372138(v=vs.85).aspx
  4. SysInternals has TCPVIEW which shows network usage by process. When you start it most processes don't show any usage. It appears to only collect usage info for the time period it is running. Which lends weight to the idea that ETW is being used.
  5. If I browsed websites with IE9, I would see processes being created in TCPVIEW. In most cases the processes would disappear (terminate) within a minute or so - along with the stats of the process.
  6. Similarly to ProcessExplorer, when processes are created they are highlighted green, and when they are destroyed they are highlighted red.
  7. Red highlighted processes disappear after the next Update. Update frequency can be 1, 2, or 5 seconds. However there is a registry settings, HKEY_CURRENT_USER\Software\Sysinternals\TCPView\Settings which can be modified to set other refresh frequencies. If is a DWORD at offset 0x98, and is in milliseconds.
  8. TCPVIEW has a "Save"/"Save As" menu item. The output is a space delimited text file that has the per process usage stats that are currently displayed in the GUI. Below is a sample line from the file. The numbers at the end of the line are received pkts/sec, received bytes/sec, transmitted pkts/sec and bytes/sec, (not necessarily in that order) iexplore.exe 864 TCP tin 61207 a96-17-203-64.deploy.akamaitechnologies.com http ESTABLISHED 2 12,928 8 9,420

So...

A possible solution is to use TCPVIEW and control it via key strokes generated programmatically from a script. You could set the refresh interval to 1, 10, 30, etc. minutes and have the script send the keystrokes to make TCPVIEW save the output in a file. You'd probably want the script to send the keystrokes at half or a third of the refresh interval, to make sure you are getting a snapshot that is at least as long as 1/2 or 2/3 of the refresh interval. You could import the file using Import-CSV, and easily manipulate it within the script.

Or...

You could get masochistic and use ETW.

Or...

You could go off the deep end and port Linux's proc file system (which, as you noted, is a lot easier to use from scripts) to Windows :-)

Χpẘ
  • 3,403
  • 1
  • 13
  • 22
3

I wrote a solution to this.

A TDI filter driver to collect the stats, a service which communicates with the driver and gets the stats once per second. Since the filter is at the TDI layer, I know which sockets belong to which applications. The service is a server for this data, offering it via shared memory to arbitrary third party clients via an API I wrote. I wrote a GUI and a command line client.

You can also bandwidth shape sends (per interface and/or application and/or socket) and watch data passing over a socket in real time, in a window.

  • 2
    I'll take your word that you looked at this problem and decided that "write a custom TDI filter driver" was the best solution. I assumed that if you have some code you could have published, you would have done, and I'm not one of those people that says "show m3 the c0deZ!". Pointing me in the right direction is plenty, thanks. – Roger Lipscombe Nov 16 '09 at 16:32
1

You'd be amazed at the stuff you can get out of Perfmon.

Bring it up, right click in the graph area, and select "Add Counters...". Surf around and see if anything does what you want.

From my reading of what you are asking, I'd select "Process" as my performance object, and start selecting likely looking culprits from the list of processes, with perhaps "IO Data Bytes/sec" counters being watched. If you mess around in there you may find something more useful to you to look at though.

Edit: I'm noticing that it says "Programatically" (did it say that yesterday?)

Well, you can actually get pretty much all the information Perfmon gets from the registry with the key HKEY_PERFORMANCE_DATA. I think that's what Perfmon enumerates and uses, so you should be able to poke around with perfmon to see what's there and works for you, then write code to read it out in realtime in your own program.

One of the really nice things about this method, is that it even works remotely, if you have the right privs.

T.E.D.
  • 44,016
  • 10
  • 73
  • 134
1

You will need to use the IPHelper API.

Here is a good article detailing its use from .NET: http://www.codeproject.com/KB/IP/iphlpapi.aspx

Enjoy.

Sam Axe
  • 33,313
  • 9
  • 55
  • 89
0

Use ETW with EVENT_TRACE_FLAG_NETWORK_TCPIP will do the job.

Outdoor
  • 1