Process Monitor (procmon) does not show some UDP / TCP network activity events, shown in Network Monitor
I observe sometimes a difference between Process Monitor and Network Monitor. Process Monitor does not show some UDP / TCP network events.
Here is an example:
net use * \test12345.domain.localtest
shows in Netmon as:
shows in Process Monitor:
Why is the NetBIOS nameservice (:137) communication is missing in Process Monitor?
(I've tested it on several virtual and physical Windows PCs, like Windows Server 2008 R2, Windows 7, and Windows Server 2008.)
windows networking procmon tracing netmon
edited Dec 9 at 7:19
Peter Mortensen
8,331166184
asked Dec 20 '14 at 9:36
marsh-wiggle
1,82441638
add a comment |
I observe sometimes a difference between Process Monitor and Network Monitor. Process Monitor does not show some UDP / TCP network events.
Here is an example:
net use * \test12345.domain.localtest
shows in Netmon as:
shows in Process Monitor:
Why is the NetBIOS nameservice (:137) communication is missing in Process Monitor?
(I've tested it on several virtual and physical Windows PCs, like Windows Server 2008 R2, Windows 7, and Windows Server 2008.)
windows networking procmon tracing netmon
edited Dec 9 at 7:19
Peter Mortensen
8,331166184
asked Dec 20 '14 at 9:36
marsh-wiggle
1,82441638
I would ask on the sysinternals forum and for more clues, there is a fork of Wireshark that associates packets with process, if netmon doesn't. It might be that the 137 network traffic happens at the kernel level from a Localsystem level access.
– Justin Dearing
Dec 23 '14 at 22:46
add a comment |
I observe sometimes a difference between Process Monitor and Network Monitor. Process Monitor does not show some UDP / TCP network events.
Here is an example:
net use * \test12345.domain.localtest
shows in Netmon as:
shows in Process Monitor:
Why is the NetBIOS nameservice (:137) communication is missing in Process Monitor?
(I've tested it on several virtual and physical Windows PCs, like Windows Server 2008 R2, Windows 7, and Windows Server 2008.)
windows networking procmon tracing netmon
edited Dec 9 at 7:19
Peter Mortensen
8,331166184
asked Dec 20 '14 at 9:36
marsh-wiggle
1,82441638
I observe sometimes a difference between Process Monitor and Network Monitor. Process Monitor does not show some UDP / TCP network events.
Here is an example:
net use * \test12345.domain.localtest
shows in Netmon as:
shows in Process Monitor:
Why is the NetBIOS nameservice (:137) communication is missing in Process Monitor?
(I've tested it on several virtual and physical Windows PCs, like Windows Server 2008 R2, Windows 7, and Windows Server 2008.)
windows networking procmon tracing netmon
windows networking procmon tracing netmon
edited Dec 9 at 7:19
Peter Mortensen
8,331166184
asked Dec 20 '14 at 9:36
marsh-wiggle
1,82441638
edited Dec 9 at 7:19
Peter Mortensen
8,331166184
asked Dec 20 '14 at 9:36
marsh-wiggle
1,82441638
edited Dec 9 at 7:19
Peter Mortensen
8,331166184
edited Dec 9 at 7:19
Peter Mortensen
8,331166184
edited Dec 9 at 7:19
Peter Mortensen
8,331166184
8,331166184
asked Dec 20 '14 at 9:36
marsh-wiggle
1,82441638
asked Dec 20 '14 at 9:36
marsh-wiggle
1,82441638
asked Dec 20 '14 at 9:36
marsh-wiggle
1,82441638
1,82441638
I would ask on the sysinternals forum and for more clues, there is a fork of Wireshark that associates packets with process, if netmon doesn't. It might be that the 137 network traffic happens at the kernel level from a Localsystem level access.
– Justin Dearing
Dec 23 '14 at 22:46
add a comment |
I would ask on the sysinternals forum and for more clues, there is a fork of Wireshark that associates packets with process, if netmon doesn't. It might be that the 137 network traffic happens at the kernel level from a Localsystem level access.
– Justin Dearing
Dec 23 '14 at 22:46
I would ask on the sysinternals forum and for more clues, there is a fork of Wireshark that associates packets with process, if netmon doesn't. It might be that the 137 network traffic happens at the kernel level from a Localsystem level access.
– Justin Dearing
Dec 23 '14 at 22:46
I would ask on the sysinternals forum and for more clues, there is a fork of Wireshark that associates packets with process, if netmon doesn't. It might be that the 137 network traffic happens at the kernel level from a Localsystem level access.
– Justin Dearing
Dec 23 '14 at 22:46
add a comment |
2 Answers
2
active
oldest
votes
System is deactivated by the default filter (exclude system events). Delete the filter and these events will show up.
answered Dec 23 '14 at 23:02
Justin Dearing
1,91732550
add a comment |
Shot in the dark: Use psexec to run Process Monitor as localsystem.
edited Dec 9 at 7:15
Peter Mortensen
8,331166184
answered Dec 23 '14 at 22:47
Justin Dearing
1,91732550
What is "localsystem"? A Windows user account? Or something else? Can you add a reference?
– Peter Mortensen
Dec 9 at 7:32
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f854893%2fprocess-monitor-procmon-does-not-show-some-udp-tcp-network-activity-events%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
System is deactivated by the default filter (exclude system events). Delete the filter and these events will show up.
answered Dec 23 '14 at 23:02
Justin Dearing
1,91732550
add a comment |
System is deactivated by the default filter (exclude system events). Delete the filter and these events will show up.
answered Dec 23 '14 at 23:02
Justin Dearing
1,91732550
add a comment |
System is deactivated by the default filter (exclude system events). Delete the filter and these events will show up.
answered Dec 23 '14 at 23:02
Justin Dearing
1,91732550
System is deactivated by the default filter (exclude system events). Delete the filter and these events will show up.
answered Dec 23 '14 at 23:02
Justin Dearing
1,91732550
answered Dec 23 '14 at 23:02
Justin Dearing
1,91732550
answered Dec 23 '14 at 23:02
Justin Dearing
1,91732550
answered Dec 23 '14 at 23:02
Justin Dearing
1,91732550
1,91732550
add a comment |
add a comment |
Shot in the dark: Use psexec to run Process Monitor as localsystem.
edited Dec 9 at 7:15
Peter Mortensen
8,331166184
answered Dec 23 '14 at 22:47
Justin Dearing
1,91732550
What is "localsystem"? A Windows user account? Or something else? Can you add a reference?
– Peter Mortensen
Dec 9 at 7:32
add a comment |
Shot in the dark: Use psexec to run Process Monitor as localsystem.
edited Dec 9 at 7:15
Peter Mortensen
8,331166184
answered Dec 23 '14 at 22:47
Justin Dearing
1,91732550
What is "localsystem"? A Windows user account? Or something else? Can you add a reference?
– Peter Mortensen
Dec 9 at 7:32
add a comment |
Shot in the dark: Use psexec to run Process Monitor as localsystem.
edited Dec 9 at 7:15
Peter Mortensen
8,331166184
answered Dec 23 '14 at 22:47
Justin Dearing
1,91732550
Shot in the dark: Use psexec to run Process Monitor as localsystem.
edited Dec 9 at 7:15
Peter Mortensen
8,331166184
answered Dec 23 '14 at 22:47
Justin Dearing
1,91732550
edited Dec 9 at 7:15
Peter Mortensen
8,331166184
edited Dec 9 at 7:15
Peter Mortensen
8,331166184
edited Dec 9 at 7:15
Peter Mortensen
8,331166184
8,331166184
answered Dec 23 '14 at 22:47
Justin Dearing
1,91732550
answered Dec 23 '14 at 22:47
Justin Dearing
1,91732550
answered Dec 23 '14 at 22:47
Justin Dearing
1,91732550
1,91732550
What is "localsystem"? A Windows user account? Or something else? Can you add a reference?
– Peter Mortensen
Dec 9 at 7:32
add a comment |
What is "localsystem"? A Windows user account? Or something else? Can you add a reference?
– Peter Mortensen
Dec 9 at 7:32
What is "localsystem"? A Windows user account? Or something else? Can you add a reference?
– Peter Mortensen
Dec 9 at 7:32
What is "localsystem"? A Windows user account? Or something else? Can you add a reference?
– Peter Mortensen
Dec 9 at 7:32
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f854893%2fprocess-monitor-procmon-does-not-show-some-udp-tcp-network-activity-events%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I would ask on the sysinternals forum and for more clues, there is a fork of Wireshark that associates packets with process, if netmon doesn't. It might be that the 137 network traffic happens at the kernel level from a Localsystem level access.
– Justin Dearing
Dec 23 '14 at 22:46