Open emliunix opened 5 years ago
Windows network stack is quite complex, mixed or say unified with other IO stack, like USB / Bluetooth, and the high-levels such as HTTP.
The capture here seems based on WFP (Windows Filtering Platform) which is based on ETW (Event Tracing for Windows). ETW is said as a general purpose kernel tracing facility.
It's good to see a uniformed structure in OS level, like that in the BSD world. However for windows, the whole system ships as one giant blob, system components are hard to be udpated. I noticed http is a system component (winhttp.dll COM, for serer), on which IIS, etc is built, so if one wants to use HTTP/2, the whole system should be updated, and it may not even be a complete implementaion of HTTP/2.
And I found separate HTTP/2 implementation (client) in .NET based on TCP, which is shipped as a upgradable package. Feels like a good direction, and glad to see more system components shipped as standalone packages, XAML islands stuff.
But still complaining about the inconsistencies met when analyze network traffic, Loopback packets seems a totally separate path compared to normal cross device traffic. Feels like some kind of quick pacth that merges existing local IPC infra into TCP/IP stack, and not providing enough and uniformed inspecting facility.
Conclusion
Use Windows Message Analyzer. The assets needs to be updated after installation otherwise there's some error. There's Loopback capture as a preset scenario.
However I didn't get the filtering to work with
IPv4.Address == 127.0.0.1
though the packet view shows the IP Address is definitely127.0.0.1
.The filter expression
UDP.Datagram.Port == 8000
works.