简体繁体 English

以编程方式获取 Windows 上的每个进程的网络统计信息？

[英]Programmatically getting per-process network statistics on Windows?

原文 2009-03-10 13:56:38 3 5 performance/ winapi/ networking

I'd like to find out which processes are using my network.我想知道哪些进程正在使用我的网络。 This is quite easy in Linux, but I'm stumped as to how to do this in Windows.这在 Linux 中很容易，但我很难在 Windows 中做到这一点。

Essentially, I'd like, for each process, to know how many bytes it has read/written to the network over a time period.本质上，对于每个进程，我想知道它在一段时间内读取/写入网络的字节数。 If I could know IP addresses/port numbers, etc., that would be awesome.如果我能知道 IP 地址/端口号等，那就太好了。

Any pointers?任何指针？ Windows Vista/Windows 2008 seem to be able to do this in Resource Monitor. Windows Vista/Windows 2008 似乎能够在资源监视器中执行此操作。 How do they do it?他们是怎么做到的呢？ What's the overhead?开销是多少？

I want to do this in my own code, so utilities (TCPView, PerfMon) aren't useful to me.我想在自己的代码中执行此操作，因此实用程序（TCPView、PerfMon）对我没有用。 I'd also like to have separate disk and network I/O counters, so the default performance counters aren't enough.我还希望有单独的磁盘和网络 I/O 计数器，所以默认的性能计数器是不够的。

Windows XP, 2003, Vista, 2008 and 7 preferred. Windows XP、2003、Vista、2008 和 7 优先。 Win32 or COM OK. Win32 或 COM 好的。

5 个解决方案

After quite of research here's what I've come up with:经过大量研究，这是我想出的：

There are a number of posts in various forums asking for this same info.各种论坛中有许多帖子要求提供相同的信息。
The only possible programmatic solution I saw was to use Event Tracing for Windows (ETW).我看到的唯一可能的编程解决方案是对 Windows (ETW) 使用事件跟踪。 That would take a small book to explain/understand.那需要一本小书来解释/理解。
The PERF counters, which can be obtained from the registry, are not Powershell friendly.可以从注册表中获取的 PERF 计数器对 Powershell 不友好。 They use data structures that are designed to be consumed by C/C++ programs.它们使用旨在供 C/C++ 程序使用的数据结构。 URL of a pretty complete example: http://msdn.microsoft.com/en-us/library/windows/desktop/aa372138(v=vs.85).aspx URL 一个相当完整的例子： http://msdn.microsoft.com/en-us/library/windows/desktop/aa372138(v=vs.85).aspx
SysInternals has TCPVIEW which shows network usage by process. SysInternals 有 TCPVIEW，它按进程显示网络使用情况。 When you start it most processes don't show any usage.当您启动它时，大多数进程不会显示任何使用情况。 It appears to only collect usage info for the time period it is running.它似乎只收集它正在运行的时间段的使用信息。 Which lends weight to the idea that ETW is being used.这为使用 ETW 的想法提供了支持。
If I browsed websites with IE9, I would see processes being created in TCPVIEW.如果我用 IE9 浏览网站，我会看到 TCPVIEW 中正在创建进程。 In most cases the processes would disappear (terminate) within a minute or so - along with the stats of the process.在大多数情况下，进程会在一分钟左右内消失（终止） - 以及进程的统计信息。
Similarly to ProcessExplorer, when processes are created they are highlighted green, and when they are destroyed they are highlighted red.与 ProcessExplorer 类似，当创建进程时，它们以绿色突出显示，当它们被销毁时，它们以红色突出显示。
Red highlighted processes disappear after the next Update.红色突出显示的进程在下一次更新后消失。 Update frequency can be 1, 2, or 5 seconds.更新频率可以是 1、2 或 5 秒。 However there is a registry settings, HKEY_CURRENT_USER\Software\Sysinternals\TCPView\Settings which can be modified to set other refresh frequencies.但是有一个注册表设置，HKEY_CURRENT_USER\Software\Sysinternals\TCPView\Settings 可以修改以设置其他刷新频率。 If is a DWORD at offset 0x98, and is in milliseconds. If 是偏移量 0x98 处的 DWORD，以毫秒为单位。
TCPVIEW has a "Save"/"Save As" menu item. TCPVIEW 有一个“保存”/“另存为”菜单项。 The output is a space delimited text file that has the per process usage stats that are currently displayed in the GUI. output 是一个以空格分隔的文本文件，其中包含当前显示在 GUI 中的每个进程的使用情况统计信息。 Below is a sample line from the file.以下是文件中的示例行。 The numbers at the end of the line are received pkts/sec, received bytes/sec, transmitted pkts/sec and bytes/sec, (not necessarily in that order) iexplore.exe 864 TCP tin 61207 a96-17-203-64.deploy.akamaitechnologies.com http ESTABLISHED 2 12,928 8 9,420该行末尾的数字是接收的 pkts/sec、接收的字节/秒、传输的 pkts/sec 和字节/秒，（不一定按此顺序） iexplore.exe 864 TCP tin 61207 a96-17-203-64.deploy.akamaitechnologies.com http ESTABLISHED 2 12,928 8 9,420

So...所以...

A possible solution is to use TCPVIEW and control it via key strokes generated programmatically from a script.一种可能的解决方案是使用 TCPVIEW 并通过从脚本以编程方式生成的击键来控制它。 You could set the refresh interval to 1, 10, 30, etc. minutes and have the script send the keystrokes to make TCPVIEW save the output in a file.您可以将刷新间隔设置为 1、10、30 等分钟，并让脚本发送击键以使 TCPVIEW 将 output 保存在文件中。 You'd probably want the script to send the keystrokes at half or a third of the refresh interval, to make sure you are getting a snapshot that is at least as long as 1/2 or 2/3 of the refresh interval.您可能希望脚本以刷新间隔的一半或三分之一发送击键，以确保您获得的快照至少与刷新间隔的 1/2 或 2/3 一样长。 You could import the file using Import-CSV, and easily manipulate it within the script.您可以使用 Import-CSV 导入文件，并在脚本中轻松操作它。

Or...或者...

You could get masochistic and use ETW.您可能会变得自虐并使用 ETW。

Or...或者...

You could go off the deep end and port Linux's proc file system (which, as you noted, is a lot easier to use from scripts) to Windows:-)您可以将 go 关闭，并将 Linux 的 proc 文件系统（正如您所指出的，从脚本中使用起来更容易）到 Windows:-)

You'd be amazed at the stuff you can get out of Perfmon.你会惊讶于你可以从 Perfmon 中得到的东西。

Bring it up, right click in the graph area, and select "Add Counters...".调出，在图形区域右击，select "Add Counters..."。 Surf around and see if anything does what you want.四处冲浪，看看是否有任何东西可以满足您的需求。

From my reading of what you are asking, I'd select "Process" as my performance object, and start selecting likely looking culprits from the list of processes, with perhaps "IO Data Bytes/sec" counters being watched.根据我对您所问的内容的阅读，我将 select“进程”作为我的性能 object，并开始从进程列表中选择可能看起来的罪魁祸首，可能会观察“IO 数据字节/秒”计数器。 If you mess around in there you may find something more useful to you to look at though.如果你在那里乱七八糟，你可能会发现一些对你更有用的东西。

Edit : I'm noticing that it says "Programatically" (did it say that yesterday?)编辑：我注意到它说“以编程方式”（昨天是这样说的吗？）

Well, you can actually get pretty much all the information Perfmon gets from the registry with the key HKEY_PERFORMANCE_DATA .好吧，您实际上可以通过键HKEY_PERFORMANCE_DATA获得 Perfmon 从注册表中获取的几乎所有信息。 I think that's what Perfmon enumerates and uses, so you should be able to poke around with perfmon to see what's there and works for you, then write code to read it out in realtime in your own program.我认为这就是 Perfmon 枚举和使用的内容，因此您应该能够使用 perfmon 来查看其中的内容并为您工作，然后编写代码在您自己的程序中实时读取它。

One of the really nice things about this method, is that it even works remotely, if you have the right privs.这种方法的真正好处之一是，如果您拥有正确的权限，它甚至可以远程工作。

You will need to use the IPHelper API.您将需要使用 IPHelper API。

Here is a good article detailing its use from .NET: http://www.codeproject.com/KB/IP/iphlpapi.aspx这是一篇很好的文章，详细介绍了 .NET 的使用： http://www.codeproject.com/KB/IP/iphlpapi.aspx

Enjoy.享受。

I wrote a solution to this.我为此写了一个解决方案。

A TDI filter driver to collect the stats, a service which communicates with the driver and gets the stats once per second.用于收集统计信息的 TDI 过滤器驱动程序，该服务与驱动程序通信并每秒获取一次统计信息。 Since the filter is at the TDI layer, I know which sockets belong to which applications.由于过滤器在TDI层，我知道哪个sockets属于哪个应用。 The service is a server for this data, offering it via shared memory to arbitrary third party clients via an API I wrote.该服务是该数据的服务器，通过共享的 memory 通过我编写的 API 将其提供给任意第三方客户端。 I wrote a GUI and a command line client.我写了一个 GUI 和一个命令行客户端。

You can also bandwidth shape sends (per interface and/or application and/or socket) and watch data passing over a socket in real time, in a window.您还可以在 window 中对发送（每个接口和/或应用程序和/或套接字）进行带宽整形并实时观察通过套接字传递的数据。

Use ETW with EVENT_TRACE_FLAG_NETWORK_TCPIP will do the job.使用带有 EVENT_TRACE_FLAG_NETWORK_TCPIP 的 ETW 将完成这项工作。