locked
How to programmatically filter on process id? RRS feed

  • Question

  • I am writing a tiny program to capture network trace. I want to filter it on process id so that the resulting trace file will be not huge. I was thinking I could check process id in the callback function MyFrameIndication. However there does not seem a way to get hold of process id from any parameters in this function. How can I accomplish my goal? Any code samples? Thanks.

    MyFrameIndication(HANDLE hCapEng, ULONG ulAdaptIdx, PVOID pContext, HANDLE hRawFrame)
    {
        HANDLE capFile = (HANDLE)pContext;
        NmAddFrame(capFile, hRawFrame);
    }

    Wednesday, July 21, 2010 5:28 PM

Answers

  • Unfortunately you can't record process tracking information from a live capture with the API.  This functionallity is extended by our UI and NMCap and is not part of the engine.  So you'd have to duplicate this functionallity by making the same API calls we do and then store it manually in the capture file or track it separately.  We understand this would have been a nice extension to the API, but it was not something we were able to get to.

    You can look at this thread for more info:

    http://social.technet.microsoft.com/Forums/en/netmon/thread/aa1d0602-edbf-4679-a090-67d6d6fd04ee

    Paul

    • Marked as answer by XGan Friday, July 30, 2010 5:45 AM
    Monday, July 26, 2010 2:07 PM

All replies

  • You will need to parse the frame in order to access the process name.  The "Displaying Properties from a Capture File" has some sample code to show you how to get the process name.  If you still have questions after reading through it, please let us know and we'll try to help.

    Paul

    • Proposed as answer by Paul E Long Wednesday, July 21, 2010 5:43 PM
    Wednesday, July 21, 2010 5:43 PM
  • Thanks Paul. I tried that code and it still does not work for my scenario.

    If I use the netmon GUI (with enable conversations checked) to take the trace, i can use the code sample to get the process name fine. If I use the netmon GUI (without enable conversation checked) to trace the trace, i am not able to get the process name. This all sounds logical.

     

    Now, my program is using NmStartCapture to capture the trace. I am not able to use the same code to get the process name from the captured trace. So my question now is how can I use NmStartCapture with the same effect of with enable conversations checked.

    Friday, July 23, 2010 4:28 PM
  • Unfortunately you can't record process tracking information from a live capture with the API.  This functionallity is extended by our UI and NMCap and is not part of the engine.  So you'd have to duplicate this functionallity by making the same API calls we do and then store it manually in the capture file or track it separately.  We understand this would have been a nice extension to the API, but it was not something we were able to get to.

    You can look at this thread for more info:

    http://social.technet.microsoft.com/Forums/en/netmon/thread/aa1d0602-edbf-4679-a090-67d6d6fd04ee

    Paul

    • Marked as answer by XGan Friday, July 30, 2010 5:45 AM
    Monday, July 26, 2010 2:07 PM