Winsock Network Event Tracing Details
The following details each of the Winsock network events that can be traced and describes which parameters and information are logged.
Socket Creation
Event ID = 1
Level = 4 (Information)
The following Winsock events are traced for socket creation:
- Socket handles created by calls to the socket or WSASocket functions.
- Accepted socket handles on listening sockets.
- Socket handles created by calls to the WSAJoinLeaf function.
- Socket handles re-used by calls to the AcceptEx or ConnectEx functions.
The following parameters are logged for a socket creation event:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| SocketType |
The type of the socket. |
| Protocol |
The protocol of the socket. |
| UserModePid |
The user-mode process ID that created the socket. |
Socket Bind
Event ID = 2 (IPv4), Event ID = 3 (IPv6)
Level = 4 (Information)
The following Winsock events are traced for a bind operation:
- Implicit or explicit binding of a socket handle.
The following parameters are logged for a bind event:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Address |
The local IP address. |
| Port |
The local IP port number. |
| Status |
The status or error code returned for the bind operation. |
Failed Bind
Event ID = 40
Level = 4 (Information)
The following Winsock events are traced for a failed bind operation:
- Implicit or explicit binding of a socket handle that fails.
The following parameters are logged for a failed bind event:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The error code returned for the failing bind operation. |
Socket Connect
Event ID = 4 (IPv4), Event ID = 5 (IPv6)
Level = 4 (Information)
The following Winsock events are traced for a connect operation request (a call to the connect, ConnectEx, WSAConnect, WSAConnectByList, or WSAConnectByName function):
- Connecting a socket to a destination for either a connection-oriented or a connectionless socket.
The following parameters are logged for a connect event:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Address |
The remote IP address. |
| Port |
The remote IP port number. |
Connect Completed
Event ID = 6
Level = 4 (Information)
The following Winsock events are traced for a connect completed:
- The connect operation is completed.
The following parameters are logged for a connect completed event:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The error code returned for the connect operation. |
AFD-Initiated Abort
Event ID = 7
Level = 4 (Information)
The following Winsock events are traced for Winsock-initiated aborts or cancel operations:
- An abort due to unread receive data buffered after close.
- An abort after a call to the shutdown function with the how parameter set to SD_RECEIVE and a call to the closesocket function with receive data pending.
- An abort after a failed attempt to flush the endpoint.
- An abort after an internal Winsock error occurred.
- An abort due to a connection with errors and the application previously requested that the connection be aborted on certain circumstances. One example of this case would be an application that set SO_LINGER with a timeout of zero and there is still unacknowledged data on the connection.
- An abort on a connection not fully associated with accepting endpoint.
- An abort on a failed call to the accept or AcceptEx function.
- An abort due to a failed receive operation.
- An abort due to a Plug and Play event.
- An abort due to a failed flush request.
- An abort due to a failed expedited data receive request.
- An abort due to a failed send request.
- An abort due to canceled send request.
- An abort due to a canceled called to the TransmitPackets function.
The following parameters are logged for a Winsock-initiated abort or cancel operation:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Reason |
The reason for the abort or cancel operation. |
Transport-Initiated Abort
Event ID = 8
Level = 4 (Information)
The following Winsock events are traced for transport-initiated abort or cancel operations:
- Reset indicated by the transport.
The following parameters are logged for a Winsock-initiated abort or cancel operation:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Reason |
The reason for the abort or cancel operation. |
Failed Send Request
Event ID = 9
Level = 4 (Information)
The following Winsock events are traced for errors on send or WSASend requests:
The following parameters are logged for a send requests that results in an error:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The error code returned for the operation. |
Failed WsaSendMsg Request
Event ID = 10
Level = 4 (Information)
The following Winsock events are traced for errors on WSASendMsg requests:
- Errors returned on failed WSASendMsg requests.
The following parameters are logged for a send requests that results in an error:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The error code returned for the operation. |
Failed Recv Request
Event ID = 11
Level = 4 (Information)
The following Winsock events are traced for errors on recv, WSARecv, or WSARecvEx requests:
- Errors returned on failed receive requests.
The following parameters are logged for a send requests that results in an error:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The error code returned for the operation. |
Failed Recvfrom Request
Event ID = 12
Level = 4 (Information)
The following Winsock events are traced for errors on recvfrom or WSARecvFrom requests:
- Errors returned on failed recvfrom or WSARecvFrom requests.
The following parameters are logged for a recvfrom or WSARecvFrom request that results in an error:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The error code returned for the operation. |
Socket Close
Event ID = 13
Level = 4 (Information)
The following Winsock events are traced for socket close operations:
- A socket handle is closed.
The following parameters are logged for a socket close event:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The return value for the socket close operation. |
Socket Cleanup
Event ID = 14
Level = 4 (Information)
The following Winsock events are traced for socket cleanup (shutdown) operations:
- The shutdown function is called on a socket.
- The transport indicates a failed graceful disconnect.
The following parameters are logged for a socket cleanup (shutdown) or socket close event:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The return value for the socket cleanup (shutdown) operation. |
Socket Accept
Event ID = 15 (IPv4), Event ID = 16 (IPv6)
Level = 4 (Information)
The following Winsock events are traced for an accept, AcceptEx, or WSAAccept function request:
The following parameters are logged for an accept event:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Address |
The remote IP address. |
| Port |
The remote IP port number. |
| Status |
The status or error code returned for the accept operation. |
Accept Failed
Event ID = 17
Level = 4 (Information)
The following Winsock events are traced for a failed accept operation:
The following parameters are logged for a failed accept event:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The error code returned for the failing accept operation. |
Send Posted
Event ID = 18
Level = 5 (Verbose)
In order to diagnose user buffer corruption (for example, when an application re-uses the same buffer in another send or receive call while it's still in use), the data buffer is logged when posted to Winsock and upon completion by the underlying transport. The following Winsock events are traced for socket send and receive buffer post operations:
- An application posts a send.
- A send operation completes to Winsock.
The following parameters are logged for socket send operations:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| FastPath |
A Boolean value that indicates if fast path I/O was used. |
| BufferCount |
The buffer count. |
| Buffer |
The virtual address of the buffer. For chained buffers, this parameter is the virtual address of the first buffer in the chain. |
| BufferLength |
The length of the buffer. For chained buffers, this parameter is the total number of bytes in all of the buffers in the chain. |
When FastPath is true, the usermode address of the first buffer in the array of buffers is logged in the Buffer parameter. When FastPath is false, the Winsock kernel buffer address is logged in the Buffer parameter.
Receive Posted
Event ID = 19
Level = 5 (Verbose)
In order to diagnose user buffer corruption (for example, when an application re-uses the same buffer in another send or receive call while it's still in use), the data buffer is logged when posted to Winsock and upon completion by the underlying transport. The following Winsock events are traced for socket receive buffer post operations:
- An application posts a receive.
- A receive operation completes to Winsock.
The following parameters are logged for socket receive operations:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| FastPath |
A Boolean value that indicates if fast path I/O was used. |
| BufferCount |
The buffer count. |
| Buffer |
The virtual address of the buffer. For chained buffers, this parameter is the virtual address of the first buffer in the chain. |
| BufferLength |
The length of the buffer. For chained buffers, this parameter is the total number of bytes in all of the buffers in the chain. |
When FastPath is true, the usermode address of the first buffer in the array of buffers is logged in the Buffer parameter. When FastPath is false, the Winsock kernel buffer address is logged in the Buffer parameter.
RecvFrom Posted
Event ID = 20
Level = 5 (Verbose)
In order to diagnose user buffer corruption (for example, when an application re-uses the same buffer in another send or receive call while it's still in use), the data buffer is logged when posted to Winsock and upon completion by the underlying transport. The following Winsock events are traced for a recvfrom buffer post operation on a socket:
- An application posts a receive from operation.
The following parameters are logged for the recvfrom operation:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| FastPath |
A Boolean value that indicates if fast path I/O was used. |
| BufferCount |
The buffer count. |
| Buffer |
The virtual address of the buffer. For chained buffers, this parameter is the virtual address of the first buffer in the chain. |
| BufferLength |
The length of the buffer. For chained buffers, this parameter is the total number of bytes in all of the buffers in the chain. |
When FastPath is true, the usermode address of the first buffer in the array of buffers is logged in the Buffer parameter. When FastPath is false, the Winsock kernel buffer address is logged in the Buffer parameter.
SendTo Posted
Event ID = 21 (IPv4), Event ID = 22 (IPv6)
Level = 5 (Verbose)
In order to diagnose user buffer corruption (for example, when an application re-uses the same buffer in another send or receive call while it's still in use), the data buffer is logged when posted to Winsock and upon completion by the underlying transport. The following Winsock events are traced for a sendto buffer post operation on a socket:
- An application posts a send from.
The following parameters are logged for the sendto operation:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| FastPath |
A Boolean value that indicates if fast path I/O was used. |
| BufferCount |
The buffer count. |
| Buffer |
The virtual address of the buffer. For chained buffers, this parameter is the virtual address of the first buffer in the chain. |
| BufferLength |
The length of the buffer. For chained buffers, this parameter is the total number of bytes in all of the buffers in the chain. |
| Address |
The remote IP address of the socket. |
| Port |
The remote IP port number of the socket. |
When FastPath is true, the usermode address of the first buffer in the array of buffers is logged in the Buffer parameter. When FastPath is false, the Winsock kernel buffer address is logged in the Buffer parameter.
Recv Completed
Event ID = 23
Level = 5 (Verbose)
In order to diagnose user buffer corruption (for example, when an application re-uses the same buffer in another send or receive call while it's still in use), the data buffer is logged when posted to Winsock and upon completion by the underlying transport. The following Winsock events are traced for socket receive completed operations:
- A send operation completes to the transport.
- A receive operation completes to the transport.
The following parameters are logged for a send completed or receive completed:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Buffer |
The virtual address of the buffer. For chained buffers, this parameter is the virtual address of the first buffer in the chain. |
| BufferLength |
The length of the buffer of bytes received. For chained buffers, this parameter is the total bytes received in all buffers in the chain. |
Send Completed
Event ID = 24
Level = 5 (Verbose)
In order to diagnose user buffer corruption (for example, when an application re-uses the same buffer in another send or receive call while it's still in use), the data buffer is logged when posted to Winsock and upon completion by the underlying transport. The following Winsock events are traced for socket send completed operations:
- A send operation completes to the transport.
The following parameters are logged for a send completed:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Buffer |
The virtual address of the buffer. For chained buffers, this parameter is the virtual address of the first buffer in the chain. |
| BufferLength |
The length of the buffer of bytes sent. For chained buffers, this parameter is the total bytes sent from all buffers in the chain. |
SendMsg Completed
Event ID = 25
Level = 5 (Verbose)
In order to diagnose user buffer corruption (for example, when an application re-uses the same buffer in another send or receive call while it's still in use), the data buffer is logged when posted to Winsock and upon completion by the underlying transport. The following Winsock events are traced when a WSASendMsg buffer post operation completes on a socket:
- An application completes a WSASendMsg operation.
The following parameters are logged for the WSASendMsg completion:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| BufferCount |
The buffer count. |
| Buffer |
The virtual address of the buffer. For chained buffers, this parameter is the virtual address of the first buffer in the chain. |
| BufferLength |
The length of the buffer of bytes sent. For chained buffers, this parameter is the total bytes sent from all buffers in the chain. |
| Address |
The remote IP address of the socket. |
| Port |
The remote IP port number of the socket. |
RecvFrom Completed
Event ID = 26 (IPv4), Event ID = 27 (IPv6)
Level = 5 (Verbose)
In order to diagnose user buffer corruption (for example, when an application re-uses the same buffer in another send or receive call while it's still in use), the data buffer is logged when posted to Winsock and upon completion by the underlying transport. The following Winsock events are traced when a recvfrom buffer post operation completes on a socket:
- An application completes a recvfrom operation.
The following parameters are logged for the recvfrom completion:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| BufferCount |
The buffer count. |
| Buffer |
The virtual address of the buffer. For chained buffers, this parameter is the virtual address of the first buffer in the chain. |
| BufferLength |
The length of the buffer of bytes received. For chained buffers, this parameter is the total bytes received in all buffers in the chain. |
| Address |
The remote IP address of the socket. |
| Port |
The remote IP port number of the socket. |
SendTo Completed
Event ID = 28
Level = 5 (Verbose)
In order to diagnose user buffer corruption (for example, when an application re-uses the same buffer in another send or receive call while it's still in use), the data buffer is logged when posted to Winsock and upon completion by the underlying transport. The following Winsock events are traced when a sendto buffer post operation completes on a socket:
- An application completes a sendto operation.
The following parameters are logged for the sendto completion:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| BufferCount |
The buffer count. |
| Buffer |
The virtual address of the buffer. For chained buffers, this parameter is the virtual address of the first buffer in the chain. |
| BufferLength |
The length of the buffer of bytes sent. For chained buffers, this parameter is the total bytes sent from all buffers in the chain. |
| Address |
The remote IP address of the socket. |
| Port |
The remote IP port number of the socket. |
Socket Option Set
Event ID = 29
Level = 5 (Verbose)
Whenever an application changes certain socket option values and Ioctls, the new values will be logged. The options logged can be used to diagnose poor performance or strange behavior in applications. The following Winsock events are traced for certain socket options and Ioctls:
- SO_SNDBUF changes.
- SO_RCVBUF changes.
- FIONBIO
- SIO_ENABLE_CIRCULAR_QUEUEING
- SIO_UDP_CONNRESET
- SO_OOBINLINE
The following parameters are logged for setsockopt and WSAIoctl function calls that change any of the above values:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Option |
The socket option or Ioctl that is changed. |
| Value |
The new value for the socket option or Ioctl. |
Select/Poll Posted
Event ID = 30
Level = 5 (Verbose)
The following Winsock events are traced when an application calls the select or WSAPoll function:
The following parameters are logged for select or WSAPoll events:
| Parameter | Description |
|---|---|
| Process |
The owning process ID. |
| HandleCount |
The number of handles passed in by the application (only valid on the initiating event). |
| Timeout |
The maximum time for the select or WSAPoll function to wait. |
Select/Poll Completed
Event ID = 31
Level = 5 (Verbose)
The following Winsock events are traced when an application calls the select or WSAPoll function:
The following parameters are logged when a select or WSAPoll operation completes:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Error |
The error code returned for the select or WSAPoll operation. |
WSAEventSelect
Event ID = 32
Level = 5 (Verbose)
The following Winsock events are traced when an application calls the WSAEventSelect function:
- Log the event mask passed in the WSAEventSelect function.
The following parameters are logged for WSAEventSelect function calls:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| EventMask |
The value for the event mask. |
Dropped Datagram
Event ID = 33 (IPv4), Event ID = 34 (IPv6)
Level = 5 (Verbose)
To help diagnose issues around datagram applications, the following Winsock events are traced:
- When a datagram arrives and it is dropped do to insufficient buffer space.
- On a connected datagram, if data arrives from a source other than connected destination.
The following parameters are logged for dropped datagrams:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| PacketSize |
The size of the packet that was dropped. |
| Address |
The IP address of the source of the packet. |
| Port |
The IP port number of the source of the packet. |
| Reason |
The error code or reason the packet was dropped. |
Connection Indicated
Event ID = 35 (IPv4), Event ID = 36 (IPv6)
Level = 5 (Verbose)
The following Winsock events are traced for connection indicated operations:
- An application receives a connection request.
The following parameters are logged for connections indicated from transport events:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Address |
The remote IP address. |
| Port |
The remote IP port number. |
Data Indicated
Event ID = 37
Level = 5 (Verbose)
The following Winsock events are traced for data indicated operations:
- An application receives data on a connected socket.
The following parameters are logged for data indicated from transport events:
| Parameter | Description |
|---|---|
| Process |
The owning process ID. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Bytes Indicated |
The number of bytes received on the socket. |
Data Indicated from Transport
Event ID = 38 (IPv4), Event ID = 39 (IPv6)
Level = 5 (Verbose)
The following Winsock events are traced for data indicated from transport operations:
- An application posts a receive request and receives data.
The following parameters are logged for data indicated from transport events:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
| Address |
The remote IP address. |
| Port |
The remote IP port number. |
| Bytes Indicated |
The number of bytes received on the socket. |
Disconnect Indicated from Transport
Event ID = 41
Level = 5 (Verbose)
The following Winsock events are traced for disconnect indicated operations:
- An application receives a disconnect indication.
The following parameters are logged for disconnect indicated from transport events:
| Parameter | Description |
|---|---|
| Process |
The kernel EPROCESS structure address for the process. |
| Endpoint |
The Winsock kernel socket address used as a unique identifier for a socket. |
Related topics