Differences
This shows you the differences between two versions of the page.
|
ep:labs:09 [2021/12/03 21:17] andrei.mirciu [Introduction] |
ep:labs:09 [2021/12/05 13:57] (current) andrei.mirciu [Tasks] |
||
|---|---|---|---|
| Line 28: | Line 28: | ||
| If Visual Studio prompts you with an "Expired" message, you will have to log in with your (university) account. | If Visual Studio prompts you with an "Expired" message, you will have to log in with your (university) account. | ||
| </note> | </note> | ||
| + | |||
| + | ===== Proof of Work ===== | ||
| + | |||
| + | Before you start, create a [[http://docs.google.com/|Google Doc]]. Here, you will add screenshots / code snippets / comments for each exercise. Whatever you decide to include, it must prove that you managed to solve the given task (so don't show just the output, but how you obtained it and what conclusion can be drawn from it). If you decide to complete the feedback for bonus points, include a screenshot with the form submission confirmation, but not with its contents. | ||
| + | |||
| + | When done, export the document as a //pdf// and upload in the appropriate assignment on Moodle. Remember, the cut-off time is 15 minutes after the lab ends. | ||
| ===== Contents ===== | ===== Contents ===== | ||
| Line 38: | Line 44: | ||
| The Performance Monitor and Resource Monitor are two additional tools that admins and experienced Windows users may use to analyze performance or any resources related issues on Windows machines. | The Performance Monitor and Resource Monitor are two additional tools that admins and experienced Windows users may use to analyze performance or any resources related issues on Windows machines. | ||
| - | ===== Tasks ===== | + | ==== 01. RAM Monitoring ==== |
| - | <note warning> | + | Processes are dynamically allocating and using memory. Thus, it is possible to have memory allocation spikes. **Task Manager** shows you the amount of memory allocated to a process, by checking the **Peak Working Set** value in the Details tab. We can notice that the **Peak Working Set** can be sometimes significantly greater than the **Working Set**. |
| - | The password for {{:ep:laboratoare:logs2.zip | log2.zip}} and {{:ep:labs:build.zip | build.zip}} is: //parola// | + | |
| - | </note> | + | |
| - | {{namespace>:ep:labs:09:contents:tasks&nofooter&noeditbutton}} | + | ** What can we do if the system runs out of memory, but we do not know what causes this? ** |
| - | == 01. [30p] RAM Monitoring == | + | Let's imagine a situation when a system encounters issues if some conditions are met, and these conditions can be reproduced. To find out the root cause of this problem, we can start the **Windows Performance Recorder** tool. We need to select the following profiles for performance recording: **Heap usage**, **Pool usage** and **VirtualAlloc usage**. Moreover, we need to make sure that the detail level is set to verbose and the logging mode selected is for memory. |
| - | The memory usage by processes is dynamic, thus it is possible to have memory allocation spikes. **Task Manager** shows the amount of memory allocated to a process. To see this information, check the **Peak Working Set** value in the Details tab. It can be noticed that sometimes **Peak Working Set** can be significantly larger than **Working Set**. | + | Following the steps below, we can highlight how such a situation should be treated: |
| - | <spoiler> | + | ^ Part 1: Emphasize memory usage for each process ^^ |
| - | {{ :ep:laboratoare:ep5_taskmanager-ram.jpg?400 |}} | + | | **1.** Run, in parallel with the Windows Performance Recorder application, a program that allocates memory for a while and then stops. || |
| - | </spoiler> | + | | **2.** Save the capture and open it in Windows Performance Analyzer. || |
| + | | **3.** Right click on the Memory section and select the option to **Add all Memory graphs to Analysis View**. || | ||
| + | | **4.** Scroll down until you find the **Virtual Memory Snapshots** graph, which shows you the memory usage for all processes. || | ||
| - | == [15p] Task A - Identify the problem == | + | Going further, let's assume that we did not find any memory leaks for our program and the memory used by it gets successfully freed at the end. |
| - | * What can you do if the system runs out of memory, but you do not know what causes this? | + | ** How can we determine which part of the program is responsible for generating a memory spike? ** |
| - | Imagine a situation when a system encounters issues if some conditions are met, and these conditions can be reproduced. To find out the source of this problem, start **Windows Performance Recorder** configured as shown below. | + | A solution to this question can be achieved by using another tool from the Sysinternals suite, more precisely [[https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx | VMMap]]. With this tool, we can view a process's memory allocations and usage. |
| - | <spoiler> | + | ^ Part 2: Emphasize memory spike of a process ^^ |
| - | {{ :ep:laboratoare:ep5_wpa-ram-rec.jpg?400 |}} | + | | **1.** Go to Options -> Configure Symbols and make sure the paths are set correctly to point to the Microsoft Symbol Server and to the program's source files. || |
| - | </spoiler> | + | | **2.** Click OK and navigate to File -> Select Process. || |
| + | | **3.** Select the **Launch and trace a new process** tab, choose the corresponding executable application and the directory where it will run. || | ||
| + | | **4.** Click OK and let the program run. || | ||
| + | | **5.** To view the latest memory allocations, you need to click on the **Heap** row in the upper-part of the VMMap tool, and hit F5 (refresh) from time to time. || | ||
| + | | **6.** Select one memory allocation from the bottom-part of the VMMap tool and press the **Heap Allocations** button, located in the bottom right corner. || | ||
| + | | **7.** Press the **Stack** button to observe where the allocation occurred. By clicking on the **Source** button, we can view the actual code for the allocation. || | ||
| - | Run in parallel a program that allocates 1MB of memory every 100 milliseconds for a while and then stops. After the program stops running, save the capture and open it in **Windows Performance Analyzer**. You should get the following. | + | ==== 02. CPU Monitoring ==== |
| - | <spoiler> | + | Let's consider the same scenario as the one presented in the previous section. |
| - | {{ :ep:laboratoare:ep5_wpa-ram-select.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | Click **Add all Memory graphs to Analysis View** and scroll down to the **Virtual Memory Snapshot** graph which shows the memory usage for all processes. | + | Monitoring the CPU usage presents similar issues to the ones encountered when monitoring the memory usage. Task Manager can help us to find out the current CPU usage for a process. |
| - | <spoiler> | + | **How can we catch an event when the CPU usage briefly spikes up and then goes back to normal?** |
| - | {{ :ep:laboratoare:ep5_wpa-ram-graphs.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | After installing, it requires including the //vld.h// file. When writing the code, the following functions need to be overwritten: malloc, free, new, and delete. This allows each memory allocation and deallocation to be tracked. All the detected leakages (having an allocation that is not followed by a deallocation) will be saved in a log file that can be viewed after the program stops running. In the bottom part of the screenshot shown below, it can be noticed where the allocation took place and that it is not followed by a deallocation. | + | Using Task Manager, we would need to continuously have someone watching what is happening, to catch the moment when the spike occurs. To overcome this limitation, we can use Windows Performance Recorder, by selecting the **CPU usage** profile. |
| - | <spoiler> | + | Following the steps below, we can highlight how such a situation should be treated: |
| - | {{ :ep:laboratoare:ep5_visualstudio-vld.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | However, it might be the case that this is not a memory leak, and somewhere at the end of the program the memory gets unallocated. If this is the case, how can you determine which part of the program is responsible for generating the spike? This requires using another tool from SysInternals, [[https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx | VMMap]]. With this tool you can view a process's memory allocations and usage. Use it to run the program that allocates 1 MB of memory every 100 milliseconds. | + | ^ Emphasize the CPU usage of a program ^^ |
| + | | **1.** Run, in parallel with the Windows Performance Recorder application, a program that generates CPU usage for a while and then stops. || | ||
| + | | **2.** Save the capture and open it in Windows Performance Analyzer. || | ||
| + | | **3.** Right click on the Computation section and select the option to **Add all Computation graphs to Analysis View**. || | ||
| + | | **4.** The **CPU Usage** graph shows the impact of our program and helps us to determine who is generating this load. || | ||
| - | <spoiler> | + | <note> |
| - | {{ :ep:laboratoare:ep5_vmmap-configure.jpg?400 |}} | + | To further debug this situation, as in the previous case of the memory, if the program that runs the problematic process was not written by us, we need to check whether it is useful or not. If the answer is no, we should definitely stop it. In case it is useful, but the program is not ours, we can try to find an update to fix the problem, or report the issue to the producer. If the program is written by us (this course - Performance Evaluation - targets such processes developed by us), then it is important to determine what causes this problem. Unfortunately, unlike in the case of monitoring the memory usage, there is no tool that can show us the entire stack, so we need to create one. |
| - | </spoiler> | + | </note> |
| - | + | ||
| - | Prior to starting the tool, go to Options, Configure Symbols and set the paths to the program's, to the Microsoft Symbol Server, and to the program's source files. Start the tool, select **Launch and trace a new process**, select the process, select the directory where it will run, and let it run. You will see something similar to the screenshot below. To view the latest memory allocations, you need to double-click **Heap** in the upper-part of the screenshot, and hit F5 (refresh) from time to time. In the bottom part of the screenshot, you can view the memory allocations. If you click one and press **Heap Allocations** you can see the stack where the allocation occurred. By pressing the "Source" button, you can view the actual code for the allocation. | + | |
| - | <spoiler> | + | ==== 03. Network Monitoring ==== |
| - | {{ :ep:laboratoare:ep5_vmmap-analyze.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | == [15p] Task B - Conclusions == | + | As you probably already know, the easiest and fastest way to monitor the amount of network traffic generated by a process on a Windows operating system is through using Task Manager. |
| - | :!: :!: NON-DEMO TASK | + | However, if the process generating the network activity is unknown, we can use Windows Performance Recorder, by selecting the **Networking I/O activity** profile. After we save the capture and open it in Windows Performance Analyzer, we will observe that the information offered is for the total use of the network, rather than per process statistics. |
| - | * Provide screenshots with your output and add your explanation. | + | Due to this reason, we are calling upon another tool developed by Microsoft, more precisely **[[https://www.microsoft.com/en-us/download/details.aspx?id=4865 | Microsoft Network Monitor]]**. After we install it, start it using “Run as administrator” and select the network interface through which the traffic is expected to pass (cable, wifi, etc.), we will be able to capture the frames. |
| - | <hidden> | + | Last but not least, another well-known tool that you should already be familiar with from the Linux network monitoring lab is **[[https://www.wireshark.org/download.html | Wireshark]]**. This can be used for displaying all traffic generated on a HTTP connection (it can also be HTTPS, as long as we control the server, but this is not in the scope of this tutorial). |
| - | * It can be noticed the steep line representing the increase of our process's memory usage. This leads to the conclusion that this process is the cause of the problem since all the other ones seem stable. | + | |
| - | * So far, it was identified the process that causes problems. If this process is not written by you, you can check who is launching it. If you don't need it, you can deactivate it. If you need it, check if there are any updates to fix it. If there aren't any updates to fix the problem, you can try reporting the problem to the producer and hope they will fix it. | + | |
| - | </hidden> | + | |
| - | == 02. [30p] CPU Monitoring == | + | <note tip> |
| + | When installing **Wireshark**, mare sure to select the **64-bit** version and accept the default settings. After that, you can start it and select the interface that you want to listen to. | ||
| + | </note> | ||
| - | == Task Manager == | + | ===== Tasks ===== |
| - | Monitoring the CPU usage presents similar issues to the ones encountered when monitoring the memory usage. Task Manager can help find out the current CPU usage for a process. | + | |
| - | <spoiler> | + | <note warning> |
| - | {{ :ep:laboratoare:ep5_taskmanager-cpu.jpg?400 |}} | + | The skeleton for this lab can be found here: {{:ep:laboratoare:lab09-tasks.zip|}} |
| - | </spoiler> | + | </note> |
| - | + | ||
| - | == Windows Performance Recorder == | + | |
| - | Considering the same scenario as the one presented in the previous section: what if the CPU usage briefly spikes up and then goes back to normal, how can you catch this? Using Task Manager would mean having someone continuously watching what is happening to catch the moment when the spike occurs. Use Windows Performance Recorder, with the same settings as in the screenshot below. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wpr-cpuusagestart.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | == Windows Performance Analyzer == | + | |
| - | After clicking start, run CPUUsage.exe (part of the resources provided at the end of the tutorial), which generates CPU usage. Save and open the catch. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wpr-cpuusageselect.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | Right-click on to the Computation area and click "Add All Calculation graphs to Analysis View". | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wpr-cpuusagegraphs.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | The graph shows the impact of CPUUsage.exe, which inflicts a 12% CPU usage. Part of the problem is solved, it was determined who is generating the CPU usage. Now, to further debug the situation, as in the previous case of the memory, if this process was not written by you, check if it is useful, and if not, make sure to stop it. If it is useful, but it's not yours, you can try to find an update to fix the problem, or report the problem to the producer. If the program is written by you (this course - Performance Evaluation - targets the processes written by us), then it is important to determine what causes this problem. Unfortunately, unlike in the case of monitoring the memory usage, there is no tool that shows the stack with the problem, so you need to create one. Open EvenimenteProcMon, which has the purpose of integrating your messages with ProcessMonitor so they can be viewed as the process unfolds. It is necessary to understand any code, not perfectly, but at least to get the big picture of what is going on. | + | |
| - | + | ||
| - | A ProcessMonitor class with 5 functions was created: | + | |
| - | + | ||
| - | * **OpenProcMon** opens up a handle for the ProcessMonitor's message interface. | + | |
| - | * **CloseProcMon** closes this handle. | + | |
| - | * **ProcMonLog** writes the message that is passed as a parameter to the ProcessMonitor interface. | + | |
| - | * **MyProcMon** is the class constructor. It is called when a MyProcMon object is declared. | + | |
| - | * **~ MyProcMon** is the class destructor. It is called to destroy the MyProcMon object. | + | |
| - | + | ||
| - | The code below highlights that it was declared globally: | + | |
| - | + | ||
| - | <code> | + | |
| - | MyProcMon __procMon; | + | |
| - | </code> | + | |
| - | + | ||
| - | This means that at the start of the process, before executing the main function, when the global variables are initialized, our class instance will be constructed along with the implicit handle for the ProcessMonitor message interface. The handle is closed when the object is destroyed, after the program's execution ends. | + | |
| - | + | ||
| - | Another class was declared, ProcMonLogFunc, with the purpose of highlighting when entering and leaving a function. This led to defining the following macro, which declares a ProcMonLogFunc object and passes it the name of the current function as a parameter. | + | |
| - | + | ||
| - | <code> | + | |
| - | #define DBGTRACE_FN_ () ProcMonLogFunc __my_log __ (__ FUNCTIONW__) | + | |
| - | </code> | + | |
| - | + | ||
| - | | Start ProcessMonitor and change the filter to ProcessName contains EvenimenteProcMon. Select the profiling button as shown below. | {{ :ep:laboratoare:ep5_butonprofiling.png?400 |}} || | + | |
| - | + | ||
| - | | Running the program, generates a Process Monitor capture like this one. | {{ :ep:laboratoare:ep5_procmon-profiling.jpg?400 |}} || | + | |
| - | + | ||
| - | Notice messages such as Output: ==> Func1 and Output: <== Func1, with the associated times for these events in the left-hand side of the screenshot, in the Time of Day column. The difference between the times (4:42:07.1848883 and 4:42:07.1848955) is 72, and since the times after the comma are expressed in hundreds of nanoseconds, this means that func1 took 7.2 microseconds. | + | |
| - | + | ||
| - | As it is inefficient to calculate by hand the times for each function, save the output in csv format (File -> Save and choose the "Comma-Separated Values" option). The generated file will look like this: | + | |
| - | + | ||
| - | <code> | + | |
| - | "4:42:07.1846936 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: ==>main" | + | |
| - | "4:42:07.1848812 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: Acesta e logul meu 1" | + | |
| - | "4:42:07.1848883 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: ==>Func1" | + | |
| - | "4:42:07.1848955 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: <==Func1" | + | |
| - | "4:42:07.1848990 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: ==>Func2" | + | |
| - | "4:42:07.1849038 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: <==Func2" | + | |
| - | "4:42:07.1849069 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: ==>Func3" | + | |
| - | "4:42:07.1849105 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: <==Func3" | + | |
| - | "4:42:07.1849148 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: Acesta e logul meu 2" | + | |
| - | "4:42:07.1849184 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: <==main" | + | |
| - | </code> | + | |
| - | + | ||
| - | Making a parser in Python would make it easy to notice in which of the functions was spent the most time. If you only want to take into account the CPU usage, you need to have logging messages before and after every I/O operation, in order to not count in their time. | + | |
| - | + | ||
| - | :!: :!: NON-DEMO TASK | + | |
| - | + | ||
| - | Integrate CPUUsage with ProcessMonitor and find out the total time spent in every function. | + | |
| - | + | ||
| - | == 03. [40p] Network Monitoring == | + | |
| - | + | ||
| - | == Task A [20p] - Go through tutorial == | + | |
| - | + | ||
| - | == Task Manager == | + | |
| - | The amount of network traffic generated by a process can be seen using Task Mananger. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_taskmanagernetworking.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | == Windows Performance Recorder == | + | |
| - | The resources for this tutorial include Winhttp.exe, a program that downloads putty.exe. The above screenshot displays its network activity. However, if the process generating the network activity is unknown, you can use Windows Performance Recorder with the following settings. Save and open the capture to view it. The statistics offered by Windows Performance Analyzer are for the total use of the network, rather than per process statistics. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wpr-cpustart.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | == Microsoft Network Monitoring == | + | |
| - | For this reason, we are calling upon another tool developed by Microsoft. Install it, start it using "Run as administrator", and select the network interface through which the traffic is expected to pass (cable, wifi, ...). You should get a capture such as this one: | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_netmon.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | == Wireshark == | + | |
| - | As in the case of the CPU, inspecting the events taking place on the network involves some amount of work for the analyst. However, this being a simple case, you can just expand the view on the traffic generated by Winhttp.exe, and notice the request for //putty.exe//. If it is not clear why some requests are there or why they last so long, you can integrate the application that you wish to investigate with ProcessMonitor. This way you can insert logging elements to find out what request are made and how long they take. The part with timing the requests and traffic can be determined straight from Network Monitor by considering the times of the packets. For displaying all traffic on a http connection (it can also be https as long as you control the server, but this in not in the scope of this tutorial), you can use another tool, [[https://www.wireshark.org/download.html | Wireshark]]. Install Wireshark (**64bit!!!**) accepting the default settings. Start it and select the interface that you want to listen to. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wireshark-start.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | Click the //Start// button and run Winhttp.exe. After Winhttp.exe stops, click the Stop button in Wireshark. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wireshark-captura.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | This way you have obtained a traffic capture while winhttp.exe was running. Viewing the code for winhttp.exe, it can be noticed that it makes a request to www.sociouman-usamvb.ro. Use the ping command to get the IP address for this url. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_findip.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | Switching back to Wireshark, add a filter for ip.addr = 86.106.30.115 (make sure to use the IP address identified using ping command). Right click Get documents and choose Follow TCP Stream. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wireshark-captura2.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | In the bottom part of the Wireshark window, at the "//Show and save data as//" option choose "Raw". Save the capture (using the "Save as" button) as "//my.pdf//". | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wireshark-rawdata.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | Use Notepad++ to open the my.pdf file and remove the headers as shown in the screenshot below. | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wireshark-extractdata.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | Save it, close Notepad++ and double-click on the newly saved file (my.pdf). | + | |
| - | + | ||
| - | <spoiler> | + | |
| - | {{ :ep:laboratoare:ep5_wireshark-extractdata-result.jpg?400 |}} | + | |
| - | </spoiler> | + | |
| - | + | ||
| - | == Task B [20p] - Conclusions == | + | |
| - | + | ||
| - | :!: :!: NON-DEMO TASK | + | |
| - | + | ||
| - | * Follow the steps above and provide screenshots of the pdf file. | + | |
| - | + | ||
| - | <hidden> | + | |
| - | * It was possible to obtain a valid pdf file. That means that you were able to extract the conversation data from the packet exchange. This was possible due to dealing with a http communication. Otherwise, it would have been much more complicated if https was used for the communication and you would not control the server. | + | |
| - | </hidden> | + | |
| - | + | ||
| - | + | ||
| - | === 04. [10p] Feedback === | + | |
| - | + | ||
| - | :!: :!: NON-DEMO TASK | + | |
| - | + | ||
| - | * Please take a minute to fill in the **[[https://forms.gle/KHMVUhNfCPoR71Ew7 | feedback form]]** for this lab. | + | |
| - | + | ||
| - | {{ :ep:laboratoare:ep4_logo_bitd2.png?300 |}} | + | |
| {{namespace>:ep:labs:09:contents:tasks&nofooter&noeditbutton}} | {{namespace>:ep:labs:09:contents:tasks&nofooter&noeditbutton}} | ||
| - | |||
