Capture incoming HTTP requests and outgoing HTTP requests using ETW

1.9k views Asked by At

We are currently using ETW to generate all application traces from our web tiers (ASP.NET MVC + WebApi). We want to extend our tracing to automatically record incoming HTTP requests, and outgoing HTTP requests (preferably without having to instrument all our API/MVC code).

Hence, was looking at built-in ETW providers either in IIS or in ASP.NET that I could leverage. Looked at the following ETW providers, and tried to collect traces using PerfView:

  • Microsoft-Windows-HttpEvent {7B6BC78C-898B-4170-BBF8-1A469EA43FC5}
  • Microsoft-Windows-HttpLog {C42A2738-2333-40A5-A32F-6ACC36449DCC}
  • Microsoft-Windows-HttpService {DD5EF90A-6398-47A4-AD34-4DCECDEF795F}
  • Microsoft-Windows-Runtime-Web-Http {41877CB4-11FC-4188-B590-712C143C881D}
  • Microsoft-Windows-Runtime-WebAPI {6BD96334-DC49-441A-B9C4-41425BA628D8}
  • ASP.NET Events {AFF081FE-0247-4275-9C4E-021F3DC1DA35}
  • Microsoft-Windows-IIS-APPHOSTSVC {CAC10856-9223-48FE-96BA-2A772274FB53}
  • Microsoft-Windows-IIS-Logging {7E8AD27F-B271-4EA2-A783-A47BDE29143B}
  • Microsoft-Windows-IIS-W3SVC {05448E22-93DE-4A7A-BBA5-92E27486A8BE}

I'm able to capture events from other processes (including .NET + Kernel, and our own custom traces), but nothing from the above providers.

What am I missing? How do I enable the built-in ASP.NET/IIS ETW providers? Are there other providers/events that would give me the ability to inspect the incoming & outgoing HTTP requests?

Platform: Running Windows 8.1/Windows Server 2012 R2 + ASP.NET 4.5 + IIS 8.5

2

There are 2 answers

0
Naveen On

Here are the list of events of ASP.NET, IIS and HTTP events I used.
aff081fe-0247-4275-9c4e-021f3dc1da35 ee799f41-cfa5-550b-bf2c-344747c1c668 de4649c9-15e8-4fea-9d85-1cdda520c334 de4649c9-15e8-4fea-9d85-1cdda520c334 aff081fe-0247-4275-9c4e-021f3dc1da35 06b94d9a-b15e-456e-a4ef-37c984a2cb4b d55d3bc9-cba9-44df-827e-132d3a4596c2 a1c2040e-8840-4c31-ba11-9871031a19ea 3a2a4e84-4c21-4981-ae10-3fda0d9b0f83 23108b68-1b7e-43fa-94fb-ec3066805744 7b6bc78c-898b-4170-bbf8-1a469ea43fc5 dd5ef90a-6398-47a4-ad34-4dcecdef795f cac10856-9223-48fe-96ba-2a772274fb53 ab29f35c-8531-42ff-810d-b8552d23bc92 bbb924b8-f415-4f57-aa45-1007f704c9b1 da9a85bb-563d-40fb-a164-8e982ea6844b 05448e22-93de-4a7a-bba5-92e27486a8be 90303b54-419d-4081-a683-6dbcb532f261 23108b68-1b7e-43fa-94fb-ec3066805744 670080d9-742a-4187-8d16-41143d1290bd de4649c9-15e8-4fea-9d85-1cdda520c334

Edit:- Here is a post on How I used these additional providers troubleshoot the request and response messages from IIS to external authentication providers. View the http redirect and response message from an external authentication provider using ETW

0
Alexey Korovin On

Making a research myself and i'm able to collect incoming HTTP requests to my IIS Express service with ctrl.guid file containing only one provider (make sure you set 0xffff and 0x5 as flags):

{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}  0xffffffff  5   Microsoft-Windows-HttpService    

Deliver event has URL and application pool that will handle request "Clr4IntegratedAppPool{guid}" in my case.