Network Monitoring


I’m trying to find a way to monitor network session under Windows
Terminal Server. We may not be able to use Layered Service Provider (SPI)
interface, since it would intercept only Winsock calls. There might be
clients that uses network without using this interface. Also we would like
to have the ability to run on promiscuous mode.

We have a choice of using TDI filter driver and/or Filter hook for win2k
and later, but the problem is once we capture packets how could we relate
it to a processId. As soon as we see a new source port ( only for the
client side), we need to know what process caused this packet to come down
the stack. Then we may be able to use Terminal service API to relate to an
user session.

I also looked at the Monitoring API in the SDK, and some of the query
structure mentions UserName, Station Name. Here we have a situation where
multiple concurrent user session going on.