none
How to monitor and get history data the status of a port? RRS feed

  • Question

  • I'm dealing with a TCP connection issue where a client randomly can't get a connection to the server. Doing some digging and I can occasionally get netstat -ao to report that the port has a state of TIME_WAIT. As far as I can tell netstat only reports status for all ports. Is there some way to get a history graph showing the state of a port with a specific client? I'd like to see a chart showing the state of the port fluctuating between the different states it can be in, to see if I can correlate this with the errors I'm seeing.
    Thursday, August 29, 2013 6:27 PM

Answers

  • The "Microsoft-Windows-TCPIP/Diagnostic" event provider has a number of events that can help you track the state of endpoints and connections.  The most interesting event is probably 1051, which marks a change in connection state (eg, Established -> Closed).

    I don't know of a pre-existing tool that will show you all the states, although I think WPT might come pretty close.  I know it can be configured to show sockets, but I don't know if it gets into the TCP state of each socket.

    If you're comfortable scripting in PowerShell, you can do some of the analysis yourself.  Here is something of a start:

    #
    # Show TCP state changes
    #
    # Purpose:  Collects TCP event traces that indicate when a socket changes state.
    #           Analyzes events to summarize all state changes
    #
    
    $provider = "Microsoft-Windows-TCPIP/Diagnostic"
    $config = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $provider
    $config.IsEnabled = $true
    $config.SaveChanges()
    
    Write-Host TCP logging enabled.  Reproduce the issue now.
    Read-Host Press ENTER to stop logging and begin trace analysis
    
    $config.IsEnabled = $false
    $config.SaveChanges()
    
    # Look for:
    #   event 1017 is emitted when a listening TCP socket accepts a connection
    #   event 1033 is emitted when a TCP socket is connected
    #   event 1051 is emitted when a TCP connection changes state
    $events = Get-WinEvent -LogName $provider -Oldest -FilterXPath "*[System/EventID=1017 or System/EventID=1033 or System/EventID=1051]"
    
    $tcbs = @{}
    
    $events | ForEach-Object {
        if ($_.Id -eq 1017 -or $_.Id -eq 1033) {
            # If we see a new socket, add it to our table
    
            $tcb = $_.Properties[7].Value
            $tcbs[$tcb] = $_.Message
    
            "" + $_.TimeCreated.ToString("hh:mm:ss.fff") +
                "`t" + $_.Message
    
        } elseif ($_.ID -eq 1051) {
            # This socket has changed state.
    
            $tcb = $_.Properties[3].Value
            if ($tcbs.Contains($tcb)) {
                # If we knew about the socket (it was created during the trace),
                # display its information here
    
                # Do a bit of string munging to make the output more readable
                "" + $_.TimeCreated.ToString("hh:mm:ss.fff") +
                    "`t" + [Regex]::Match($tcbs[$tcb], "PID = \d+").Value +
                    "`t" + [Regex]::Match($tcbs[$tcb], "(?<=\().*(?=\))").Value +
                    "`t" + $_.Message
            }
        }
    }
    

    Thursday, August 29, 2013 9:07 PM

All replies

  • The "Microsoft-Windows-TCPIP/Diagnostic" event provider has a number of events that can help you track the state of endpoints and connections.  The most interesting event is probably 1051, which marks a change in connection state (eg, Established -> Closed).

    I don't know of a pre-existing tool that will show you all the states, although I think WPT might come pretty close.  I know it can be configured to show sockets, but I don't know if it gets into the TCP state of each socket.

    If you're comfortable scripting in PowerShell, you can do some of the analysis yourself.  Here is something of a start:

    #
    # Show TCP state changes
    #
    # Purpose:  Collects TCP event traces that indicate when a socket changes state.
    #           Analyzes events to summarize all state changes
    #
    
    $provider = "Microsoft-Windows-TCPIP/Diagnostic"
    $config = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $provider
    $config.IsEnabled = $true
    $config.SaveChanges()
    
    Write-Host TCP logging enabled.  Reproduce the issue now.
    Read-Host Press ENTER to stop logging and begin trace analysis
    
    $config.IsEnabled = $false
    $config.SaveChanges()
    
    # Look for:
    #   event 1017 is emitted when a listening TCP socket accepts a connection
    #   event 1033 is emitted when a TCP socket is connected
    #   event 1051 is emitted when a TCP connection changes state
    $events = Get-WinEvent -LogName $provider -Oldest -FilterXPath "*[System/EventID=1017 or System/EventID=1033 or System/EventID=1051]"
    
    $tcbs = @{}
    
    $events | ForEach-Object {
        if ($_.Id -eq 1017 -or $_.Id -eq 1033) {
            # If we see a new socket, add it to our table
    
            $tcb = $_.Properties[7].Value
            $tcbs[$tcb] = $_.Message
    
            "" + $_.TimeCreated.ToString("hh:mm:ss.fff") +
                "`t" + $_.Message
    
        } elseif ($_.ID -eq 1051) {
            # This socket has changed state.
    
            $tcb = $_.Properties[3].Value
            if ($tcbs.Contains($tcb)) {
                # If we knew about the socket (it was created during the trace),
                # display its information here
    
                # Do a bit of string munging to make the output more readable
                "" + $_.TimeCreated.ToString("hh:mm:ss.fff") +
                    "`t" + [Regex]::Match($tcbs[$tcb], "PID = \d+").Value +
                    "`t" + [Regex]::Match($tcbs[$tcb], "(?<=\().*(?=\))").Value +
                    "`t" + $_.Message
            }
        }
    }
    

    Thursday, August 29, 2013 9:07 PM
  • I didn't know about TCPIP/Diagnostic, this looks like it's exactly what I'm looking for. Thanks.
    Friday, August 30, 2013 3:04 PM
  • Hi,

    Maybe following articles can be helpful, just for your reference.

    Overview of TCP/IP Troubleshooting Tools

    http://technet.microsoft.com/en-us/library/cc958878.aspx

    The Cable Guy: Network Diagnostics & Tracing in Windows 7

    http://technet.microsoft.com/en-us/magazine/ff625276.aspx


    Kate Li

    TechNet Community Support

    Tuesday, September 3, 2013 1:49 PM
    Owner