none
ETW Manifest files - finding more information on the values? RRS feed

  • Question

  • I'm troubleshooting the windows Networking stack and using Perfview/ETW to do it.

    I'm particularly interested in some values that appear in the manifest for the event source Microsoft-Windows-TCPIP.

    I can get the manifest with no problem using this method:

    (sorry cant post links yet

    https://github.com/Microsoft/perfview/blob/e2e8b4400f2726d0143db4c49a0f92ae7c250485/documentation/TraceEvent/TraceEventProgrammersGuide.md#creating-xml-manifests-for-eventsource-sources

    PerfView /onlyProviders=*Microsoft-Demos-MySource EventSource collect
    
    PerfView /noGui userCommand DumpEventSourceManifests PerfVIewData.etl.zip
    

    The problem is that once i get the manifest, it has a bunch of values with not much explanation.

    e.g.

     <template tid="TcpTemplateChangedArgs">
      <data name="Tcb" inType="win:Pointer"/>
      <data name="TemplateType" inType="win:UInt32"/>
      <data name="Context" inType="win:UnicodeString"/>
     </template>
    

    where i'm specifically interested in this Context value, as in my test case i get "Initializing Templace SYNTCB" but that's it

    I'd really like to know e.g.

    • how can i find where in the stack/code this template change is fired
    • what is this SYNTCB template anyway
    • Can i step through the kernel TCP implementation 

    I've done my best to have a look around in the .net codebase for system.net (networking code) to see if maybe there are ETW hooks in there but i cant find anything...

    (sorry cant post links yet)

    https://referencesource.microsoft.com/download.html

    I can also see the event in Perfview, but cant find memory stack that holds the event (yep i've expanded all the system level events, and downloaded as many of the symbol libraries as possible)


    • Edited by nwnze Friday, April 6, 2018 8:00 AM additions
    Friday, April 6, 2018 8:00 AM

All replies

  • Hi nwnze,

    Thank you for posting here.

    >>what is this SYNTCB template anyway

    Based on my search, I do not find the MSDN document mentioned about SYNTCB template. Does it define by yourself?

    >>how can i find where in the stack/code this template change is fired

    For your question, I do not know what is the SYNTCB template. If you want to know where this template is changed, you could try to use Message Analyzer.

    >>Can i step through the kernel TCP implementation

    Please try to use Windows Kernel-Mode Memory Manager for kernel TCP implementation.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.



    Tuesday, April 10, 2018 2:01 AM
    Moderator
  • Hi Wendy

    Many thanks for your reply

    Based on my search, I do not find the MSDN document mentioned about SYNTCB template. Does it define by yourself?

    No i don't define it myself. It's part of the definition of the microsoft-windows-tcpip ETW event source. it's the text that appears in the "Context" field that i put in my original post.

    Thanks for checking the microsoft documentation. i did it too, and i couldnt find anything which is why im posting here. I assume you have a bunch of people there at Microsoft that you can ask about the ETW implementation. Can you ask them?

    For your question, I do not know what is the SYNTCB template. If you want to know where this template is changed, you could try to use Message Analyzer.

    I've used message analyzer. It produces more or less the same results as perfview. It just wraps a GUI around the xml objects that are in the ETW source manifest (like the one in my original post). Again, i assume you have access to a bunch of people at Microsoft who know the ETW implementation. Can you ask them?

    Please try to use Windows Kernel-Mode Memory Manager for kernel TCP implementation.

    Thanks for the link. maybe you didnt get to post the right link. This link is for the kernel memory manager and afaik doesnt have anything to do with TCP implementation


    Tuesday, April 10, 2018 7:33 AM
  • Hi nwnze,

    Thank you for feedback.

    Based on my search, I do not find the open source of ETW. Sorry for that.

    Please post this question is GitHub Issues. The developer of Preview will give you a solution.

    https://github.com/Microsoft/perfview/issues

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, April 19, 2018 6:54 AM
    Moderator