[Winpcap-users] using Network Monitor versus WinPCap for real timenetwork usage statistics monitoring/capture?

Sat Jul 10 05:26:02 PDT 2010

On Jul 10, 2010, at 3:32 AM, Greg Hauptmann wrote:

> Having a few issues digesting the info - mind if I ask:
> 
> 1) Re trying to access MIB_TCPSTATS (for GetTcpStatistics) & MIB_TCPTABLE (for GetExtendedTcpTable) do you know how to find out where these reside on a Windows PC (i.e. whereabouts in the MIB hierarchy)?  That is, noting I'm running OidViewProfessional how would I navigate to these MIBs to see what my current PC is storing in values? (i.e. to see what sort of values are in there)

I have no idea.

> 2) Re "do it by looking up remote IP address/port/protocol information in the OS's table of sockets to see what process, if any, has that socket" - do I assume by this you mean access the above-mentioned MIBs via use of the above-mentioned IP Helper Functions?    I can't see from the doco how these tables would be used to obtain per application/process network usage figures?

I wasn't saying you'd use that to obtain per-process or per-applicaiton network usage figures.

I was saying that you'd use that to associate particular packets with the processes that probably sent or received those processes, and compute the statistics yourself based on that.  That's probably what Network Monitor does to give you statistics like that.

If all you care about are packet counts maintained by the OS, rather than the actual packet *contents*, then either a WinPcap-based application *or* Network Monitor might be overkill.  However, a quick look at Task Manager in Windows XP doesn't appear to indicate that it can show per-process network statistics, so, at least in XP, there might not be APIs to get those statistics directly.  A quick look at the Sysinternals site:

	http://technet.microsoft.com/en-us/sysinternals/default.aspx

didn't show any obvious app of that sort.