Assume you have a custom WebService/WCF Client speaking with your or 3rd party service.
The client may be a managed or unmanaged code, but runs on x64 natively (not WOW:ed). One day you may need to discover, what data is really sent/received over the wire (for example, to inspect SOAP envelopes).
The constraints are usually, you aren’t permitted to install on the target box (where client is running) any “hard-artillery” tools like Wireshark.
One of possible solutions is to use a free and footprint-less tool of Microsoft - STRACE:
Based on “detours” utility and designed for Internet Explorer tracing, the tool is also useful to trace socket activities of nearby any custom Windows application sending/receiving data over the network.
Since 2009 offers the STRACE support also for x64 versions of Windows.
Here is a short manual, what to do if you are going to trace the socket traffic of your custom application running on x64 version of Windows.
1. Install STRACE from the location above. You will get a folder called STRACE with subfolder x64 containing bits required to run on the x64 Windows.
3. Assume, your client application has a process ID 4976. Open Console AS ADMINISTRATOR (it is essential!) and navigate to the STRACE folder. Then issue the following command:
c:\program files (x86)\strace>runelevate x64\injdll /d:x64\strace.dll /p:4976
runelevate – ensures the elevation of user access privileges to administrator level if UAC is active
x64\injdll – injects the strace.dll into the process space of custom application for tracing of the network traffic
/d:x64\strace.dll – points to the suitable version of strace.dll, doing the trace job. It is important to specify the correct library since there’s no way to inject any 32bit library into 64bit process and visa versa.
/p:4976 – specifies the process ID where we are going to inject strace.dll into.
After you launched the command above, the tracing will start as soon as first network communication will be issued by or for the specified process. Same time the STRACE creates a logfile (usually on your desktop), named according following regulations
STRACE_<process name>_PID_<process ID>_<date>_<time>.LOG
This file contains all the socket conversations of your application:
To stop the tracing – just close your application. The injection will not be done automatically on application restart.