Network Traffic Analyze on Windows

[emliunix]

Conclusion

Use Windows Message Analyzer. The assets needs to be updated after installation otherwise there's some error. There's Loopback capture as a preset scenario.

However I didn't get the filtering to work with IPv4.Address == 127.0.0.1 though the packet view shows the IP Address is definitely 127.0.0.1.

The filter expression UDP.Datagram.Port == 8000 works.

[emliunix]

Windows network stack is quite complex, mixed or say unified with other IO stack, like USB / Bluetooth, and the high-levels such as HTTP.

The capture here seems based on WFP (Windows Filtering Platform) which is based on ETW (Event Tracing for Windows). ETW is said as a general purpose kernel tracing facility.

It's good to see a uniformed structure in OS level, like that in the BSD world. However for windows, the whole system ships as one giant blob, system components are hard to be udpated. I noticed http is a system component (winhttp.dll COM, for serer), on which IIS, etc is built, so if one wants to use HTTP/2, the whole system should be updated, and it may not even be a complete implementaion of HTTP/2.

And I found separate HTTP/2 implementation (client) in .NET based on TCP, which is shipped as a upgradable package. Feels like a good direction, and glad to see more system components shipped as standalone packages, XAML islands stuff.

But still complaining about the inconsistencies met when analyze network traffic, Loopback packets seems a totally separate path compared to normal cross device traffic. Feels like some kind of quick pacth that merges existing local IPC infra into TCP/IP stack, and not providing enough and uniformed inspecting facility.