search

fireeye / pywintrace

ETW Python Library
Apache License 2.0
267 stars 59 forks source link

No event data received problem #10

Closed Darkera524 closed 6 years ago

Darkera524 commented 6 years ago

I am using this module to capture the info of the dns server.At the beginning,everything is ok and I can capture the log,but when I stop the process once,I can't capture the info of this provider unless I reboot the windows,but the other provider can capture as usual.When I use it in product,I can't reboot system at any time,so how could I solve the problem?The following is my code.Thanks!

import json

def some_func(name, guid):
    # define capture provider info "{11111111-1111-1111-1111-111111111111}"
    providers = [etw.ProviderInfo(name, etw.GUID("{"+guid+"}"))]
    # create instance of ETW class
    job = etw.ETW(providers=providers, event_callback=lambda x: print(str(x).replace("'","\"")))

    # start capture
    job.start()

    # wait some time
    #time.sleep(5)

    while True:
        url = "http://127.0.0.1:8093/query"
        d = [
            {
                "Provider": guid
            }
        ]
        try:
            r = requests.post(url, json.dumps(d))
            response = r.text

            if response == "no":
                # stop capture
                job.stop()
                break
            time.sleep(10)
        except Exception as e:
            print("dead")
            job.stop()
            break

if __name__ == '__main__':
    name = sys.argv[1]
    guid = sys.argv[2]
    some_func(name, guid)
abergl commented 6 years ago

The capture session may not be shutting down properly. Killing the process without shutting the capture session down can cause the issue you are describing.

Darkera524 commented 6 years ago

But I did not kill the python script process directly.As the code above,when it is shutting down depends on the info returned from the port 8093 or the alive of the port 8093.I just kill the process that listening 8093,then the python scripts process exit after execing the job.stop().I would appreciate it if you help me with the following question.

  1. If the capture session is not stopped,how can I find the session and stop it?
  2. How can I avoid happenning of this?
abergl commented 6 years ago

  1. If the capture session is not stopped,how can I find the session and stop it? To see if session is still running use the command - logman -ets To stop capture session - logman -ets "session name" stop

  2. How can I avoid happenning of this? When stop() is called the capture session will stop.

Darkera524 commented 6 years ago

Thanks a lot! Besides this,I find another performance problem that when the trace info is very large,for example the dns access log info,the job.start() prints the info slowly,then do you have some suggestion of how can I improve the performance of it

abergl commented 6 years ago

There is an option that will disable output to the console. That may help.

abergl commented 6 years ago

Closing.