Thursday, September 23, 2010

Tracing network traffic of a custom WebService/WCF client running natively on x64 Windows

Assume you have a custom WebService/WCF Client speaking with your or 3rd party service.


The client may be a managed or unmanaged code, but runs on x64 natively (not WOW:ed). One day you may need to discover, what data is really sent/received over the wire (for example, to inspect SOAP envelopes).

The constraints are usually, you aren’t permitted to install on the target box (where client is running) any “hard-artillery” tools like Wireshark.

One of possible solutions is to use a free and footprint-less tool of Microsoft - STRACE:

Based on “detours” utility and designed for Internet Explorer tracing, the tool is also useful to trace socket activities of nearby any custom Windows application sending/receiving data over the network.

Since 2009 offers the STRACE support also for x64 versions of Windows.

Here is a short manual, what to do if you are going to trace the socket traffic of your custom application running on x64 version of Windows.

1. Install STRACE from the location above. You will get a folder called STRACE with subfolder x64 containing bits required to run on the x64 Windows.


2. Start your custom client and detect process ID of your application (using, for example, Task Manager or Process Explorer)

3. Assume, your client application has a process ID 4976. Open Console AS ADMINISTRATOR (it is essential!) and navigate to the STRACE folder. Then issue the following command:

c:\program files (x86)\strace>runelevate x64\injdll /d:x64\strace.dll /p:4976


runelevate – ensures the elevation of user access privileges to administrator level if UAC is active
x64\injdll – injects the strace.dll into the process space of custom application for tracing of the network traffic
/d:x64\strace.dll – points to the suitable version of strace.dll, doing the trace job. It is important to specify the correct library since there’s no way to inject any 32bit library into 64bit process and visa versa.
/p:4976 – specifies the process ID where we are going to inject strace.dll into.

After you launched the command above, the tracing will start as soon as first network communication will be issued by or for the specified process. Same time the STRACE creates a logfile (usually on your desktop), named according following regulations

STRACE_<process name>_PID_<process ID>_<date>_<time>.LOG

This file contains all the socket conversations of your application:


To stop the tracing – just close your application. The injection will not be done automatically on application restart.


No comments: