- Extract/Dump TCP

Fix issue with duplicated connections when an existing connection is found in TcpAcceptListenerComplete which results in multiple entries: etw -dump tcp -fd ETWController\ETWController.json -ipport *51453* Source IP/Port -> Destination IP/Port Received Received Bytes Sent Pack Sent Bytes Retransmi % Delay ms Process Tags CmdLine Packets ets t Count 7/25/2024 1:41:45 PM +02:00 ETWController 10.150.21.12:32914 -> 10.150.1.225:51453 6 6,981 Bytes 6 3,871 Bytes 0 0 0 SMSvcHost.exe(6008) 10.150.21.12:32914 -> 10.150.1.225:51453 6 6,981 Bytes 6 3,871 Bytes 0 0 0 SMSvcHost.exe(6008) 10.150.21.12:32914 -> 10.150.1.225:51453 6 6,981 Bytes 6 3,871 Bytes 0 0 0 SMSvcHost.exe(6008) Total's: 18 20,943 Bytes 18 11,613 Bytes 0 - 0 ms Total Connection's accessed: 3 etw -dump tcp -fd ETWController_patch\ETWController.json -ipport *51453* Source IP/Port -> Destination IP/Port Received Received Bytes Sent Pack Sent Bytes Retransmi % Delay ms Process Tags CmdLine Packets ets t Count 7/25/2024 1:41:45 PM +02:00 ETWController 10.150.21.12:32914 -> 10.150.1.225:51453 6 6,981 Bytes 6 3,871 Bytes 0 0 0 SMSvcHost.exe(6008)
Siemens-Healthineers · Sep 17, 2024 · a4119fb · a4119fb
1 parent 98a5f80
commit a4119fb
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/ETWAnalyzer/Extractors/TCP/TCPExtractor.cs b/ETWAnalyzer/Extractors/TCP/TCPExtractor.cs
@@ -51,6 +51,11 @@ internal class TCPExtractor : ExtractorBase
         /// </summary>
         readonly List<TcpAcceptListenerComplete> myAcceptListenerCompletes = new();
 
+        /// <summary>
+        /// Prevent adding accept events more than once from <see cref="myAcceptListenerCompletes"/>. Otherwise we will duplicate keep adding duplicate connection with 
+        /// same tcb, connect and disconnect time. 
+        /// </summary>
+        HashSet<TcpAcceptListenerComplete> myAlreadyAdded = new();
 
         public TCPExtractor()
         {
@@ -391,6 +396,8 @@ private bool IsValidTcpEvent(IGenericEvent ev)
             return ev.ProviderId == TcpETWConstants.Guid && ev.Process?.ImageName != null && ev.Fields != null;
         }
 
+
+
         TcpRequestConnect LocateConnection(ulong tcb, DateTimeOffset time, ETWExtract extract, ref ILookup<ulong, TcpRequestConnect> connectionsByTcb)
         {
             // Check if we have already a stored connection
@@ -419,12 +426,13 @@ TcpRequestConnect LocateConnection(ulong tcb, DateTimeOffset time, ETWExtract ex
             // Some connections are in connecting state but we have not got connect event anymore. Use This event instead
             foreach (var complete in myAcceptListenerCompletes)
             {
-                if (complete.Tcb == tcb)
+                if (complete.Tcb == tcb && !myAlreadyAdded.Contains(complete) )
                 {
                     var processIdx = extract.GetProcessIndexByPidAtTime((int) complete.ProcessId, complete.Timestamp);
                     var connection = new TcpRequestConnect(complete.Tcb, complete.LocalIpAndPort, complete.RemoteIpAndPort, complete.Timestamp, null, processIdx);
                     myConnections.Add(connection);
                     connectionsByTcb = myConnections.ToLookup(x => x.Tcb);
+                    myAlreadyAdded.Add(complete);
                     return connection;
                 }
             }

diff --git a/ETWAnalyzer/Extractors/TCP/TcpAcceptListenerComplete.cs b/ETWAnalyzer/Extractors/TCP/TcpAcceptListenerComplete.cs
@@ -43,5 +43,15 @@ public TcpAcceptListenerComplete(IGenericEvent ev)
             Compartment = ev.Fields[TcpETWConstants.CompartmentField].AsUInt32;
             Timestamp = ev.Timestamp.DateTimeOffset;
         }
+
+        public override int GetHashCode()
+        {
+            return base.GetHashCode();
+        }
+
+        public override string ToString()
+        {
+            return $"LocalIpPort: {LocalIpAndPort} -> {RemoteIpAndPort} TCB: 0x{Tcb:X} TimeStamp: {Timestamp} ProcessId {ProcessId} Compartment: {Compartment}";
+        }
     }
 }