none
TcpConnectionInformation with PID? RRS feed

  • Question

  • Here's the problem I'm trying to solve:

    We want our system health monitoring service to capture data on open TCP connections. Effectively, we need the output of the shell command "netstat -ano". The local endpoint, the remote endpoint, the current connection state, and most crucially the process ID that generated the connection. Further, we're trying to keep everything confined within a 64bit application.

    The key data point is an aggregated count grouped on state and PID. The endpoint data is just a nice-to-have

    Based on my research thus far, the options are basically:

    1) Shell out to netstat and parse the output. This obviously isn't a good idea, but it would work.
    2) System.Net.NetworkInformation.IpGlobalProperties.GetActiveTCPConnections(). This returns TcpConnectionInformation, which does not include the process ID but includes the other three data points. This doesn't meet our key requirement.
    3) P/Invoke IPHLPAPI.DLL GetExtendedTcpTable(). There doesn't seem to be a 64bit version of this library. 

    Is there a way to do this from within the Framework?

    (Incidentally, the root problem is that we periodically lose servers out of the cluster to ephemeral port exhausion and can't find a single correlating factor - so now we're just going to monitor connection counts realtime)


    Wednesday, March 29, 2017 10:55 PM

Answers

  • Apparently I imagined the "There is no 64bit version" for the P/Invoke solution. Doublechecked and there it is, right where it should have been.

    So, unless there's a solution within the framework libraries, that's the route I'm going to go.

    That said, for the benefit of anyone searching, there's a fourth option: the WMI MSFT_NetTCPConnection table. Caveats:
    1) It's only present on Windows Server 2012 R2/Windows 8.1 and up, Serverand 2016/ Windows 10 if you need the owning PID
    2) The UDP equivalent doesn't include the owning PID.

    Thursday, March 30, 2017 7:18 PM

All replies

  • >>P/Invoke IPHLPAPI.DLL GetExtendedTcpTable(). There doesn't seem to be a 64bit version of this library.

    What is the problem with this way? Do you mean there is no IPHLPAPI.DLL in C:\Windows\SysWOW64 Folder? If so, I suggest you try to download it from below:

    Reference: http://www.dlldownloader.com/iphlpapi-dll/

    I suggest you refer below link from getting PID.

    #Which PID listens on a given port in c#

    http://stackoverflow.com/questions/577433/which-pid-listens-on-a-given-port-in-c-sharp

    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, March 30, 2017 2:17 AM
  • Apparently I imagined the "There is no 64bit version" for the P/Invoke solution. Doublechecked and there it is, right where it should have been.

    So, unless there's a solution within the framework libraries, that's the route I'm going to go.

    That said, for the benefit of anyone searching, there's a fourth option: the WMI MSFT_NetTCPConnection table. Caveats:
    1) It's only present on Windows Server 2012 R2/Windows 8.1 and up, Serverand 2016/ Windows 10 if you need the owning PID
    2) The UDP equivalent doesn't include the owning PID.

    Thursday, March 30, 2017 7:18 PM