Differences
This shows you the differences between two versions of the page.
|
ep:labs:09 [2021/12/04 09:49] andrei.mirciu |
ep:labs:09 [2021/12/05 13:57] (current) andrei.mirciu [Tasks] |
||
|---|---|---|---|
| Line 28: | Line 28: | ||
| If Visual Studio prompts you with an "Expired" message, you will have to log in with your (university) account. | If Visual Studio prompts you with an "Expired" message, you will have to log in with your (university) account. | ||
| </note> | </note> | ||
| + | |||
| + | ===== Proof of Work ===== | ||
| + | |||
| + | Before you start, create a [[http://docs.google.com/|Google Doc]]. Here, you will add screenshots / code snippets / comments for each exercise. Whatever you decide to include, it must prove that you managed to solve the given task (so don't show just the output, but how you obtained it and what conclusion can be drawn from it). If you decide to complete the feedback for bonus points, include a screenshot with the form submission confirmation, but not with its contents. | ||
| + | |||
| + | When done, export the document as a //pdf// and upload in the appropriate assignment on Moodle. Remember, the cut-off time is 15 minutes after the lab ends. | ||
| ===== Contents ===== | ===== Contents ===== | ||
| Line 81: | Line 87: | ||
| Following the steps below, we can highlight how such a situation should be treated: | Following the steps below, we can highlight how such a situation should be treated: | ||
| - | ^ Part 1: Emphasize the CPU usage of a program ^^ | + | ^ Emphasize the CPU usage of a program ^^ |
| | **1.** Run, in parallel with the Windows Performance Recorder application, a program that generates CPU usage for a while and then stops. || | | **1.** Run, in parallel with the Windows Performance Recorder application, a program that generates CPU usage for a while and then stops. || | ||
| | **2.** Save the capture and open it in Windows Performance Analyzer. || | | **2.** Save the capture and open it in Windows Performance Analyzer. || | ||
| Line 93: | Line 99: | ||
| ==== 03. Network Monitoring ==== | ==== 03. Network Monitoring ==== | ||
| - | As you probably already know, the easiest and fastest way to monitor the amount of network traffic generated by a process can be done using Task Manager. | + | As you probably already know, the easiest and fastest way to monitor the amount of network traffic generated by a process on a Windows operating system is through using Task Manager. |
| - | == Windows Performance Recorder == | + | However, if the process generating the network activity is unknown, we can use Windows Performance Recorder, by selecting the **Networking I/O activity** profile. After we save the capture and open it in Windows Performance Analyzer, we will observe that the information offered is for the total use of the network, rather than per process statistics. |
| - | The resources for this tutorial include Winhttp.exe, a program that downloads putty.exe. The above screenshot displays its network activity. However, if the process generating the network activity is unknown, you can use Windows Performance Recorder with the following settings. Save and open the capture to view it. The statistics offered by Windows Performance Analyzer are for the total use of the network, rather than per process statistics. | + | |
| - | <spoiler> | + | Due to this reason, we are calling upon another tool developed by Microsoft, more precisely **[[https://www.microsoft.com/en-us/download/details.aspx?id=4865 | Microsoft Network Monitor]]**. After we install it, start it using “Run as administrator” and select the network interface through which the traffic is expected to pass (cable, wifi, etc.), we will be able to capture the frames. |
| - | {{ :ep:laboratoare:ep5_wpr-cpustart.jpg?400 |}} | + | |
| - | </spoiler> | + | Last but not least, another well-known tool that you should already be familiar with from the Linux network monitoring lab is **[[https://www.wireshark.org/download.html | Wireshark]]**. This can be used for displaying all traffic generated on a HTTP connection (it can also be HTTPS, as long as we control the server, but this is not in the scope of this tutorial). |
| + | |||
| + | <note tip> | ||
| + | When installing **Wireshark**, mare sure to select the **64-bit** version and accept the default settings. After that, you can start it and select the interface that you want to listen to. | ||
| + | </note> | ||
| ===== Tasks ===== | ===== Tasks ===== | ||
| <note warning> | <note warning> | ||
| - | The password for {{:ep:laboratoare:logs2.zip | log2.zip}} and {{:ep:labs:build.zip | build.zip}} is: //parola// | + | The skeleton for this lab can be found here: {{:ep:laboratoare:lab09-tasks.zip|}} |
| </note> | </note> | ||
| {{namespace>:ep:labs:09:contents:tasks&nofooter&noeditbutton}} | {{namespace>:ep:labs:09:contents:tasks&nofooter&noeditbutton}} | ||
| - | |||
| - | ==== 01. [30p] RAM Monitoring ==== | ||
| - | |||
| - | Using Windows Performance Recorder, run a program that allocates 1MB of memory every 100 milliseconds for a while and then stops. After the program stops, save the capture, open it in Windows Performance Analyzer and analyze the Virtual Memory Snapshots graph. What conclusion can we draw by looking at the memory usage of the process that is running our program? | ||
| - | |||
| - | Using VMMap, inspect the memory spikes generated by running the same program. | ||
| - | |||
| - | After installing, it requires including the //vld.h// file. When writing the code, the following functions need to be overwritten: malloc, free, new, and delete. This allows each memory allocation and deallocation to be tracked. All the detected leakages (having an allocation that is not followed by a deallocation) will be saved in a log file that can be viewed after the program stops running. In the bottom part of the screenshot shown below, it can be noticed where the allocation took place and that it is not followed by a deallocation. | ||
| - | |||
| - | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_visualstudio-vld.jpg?400 |}} | ||
| - | </spoiler> | ||
| - | |||
| - | <hidden> | ||
| - | * It can be noticed the steep line representing the increase of our process's memory usage. This leads to the conclusion that this process is the cause of the problem since all the other ones seem stable. | ||
| - | * So far, it was identified the process that causes problems. If this process is not written by you, you can check who is launching it. If you don't need it, you can deactivate it. If you need it, check if there are any updates to fix it. If there aren't any updates to fix the problem, you can try reporting the problem to the producer and hope they will fix it. | ||
| - | </hidden> | ||
| - | |||
| - | ==== 02. [30p] CPU Monitoring ==== | ||
| - | |||
| - | Open EvenimenteProcMon, which has the purpose of integrating your messages with Process Monitor, so these can be viewed as the process unfolds. It is necessary to understand any code, not perfectly, but at least to get the big picture of what is going on. | ||
| - | |||
| - | A ProcessMonitor class with 5 functions was created: | ||
| - | |||
| - | * **OpenProcMon** opens up a handle for the Process Monitor's message interface. | ||
| - | * **CloseProcMon** closes this handle. | ||
| - | * **ProcMonLog** writes the message that is passed as a parameter to the Process Monitor interface. | ||
| - | * **MyProcMon** is the class constructor. It is called when a MyProcMon object is declared. | ||
| - | * **~ MyProcMon** is the class destructor. It is called to destroy the MyProcMon object. | ||
| - | |||
| - | The code below highlights that it was declared globally: | ||
| - | |||
| - | <code> | ||
| - | MyProcMon __procMon; | ||
| - | </code> | ||
| - | |||
| - | This means that at the start of the process, before executing the main function, when the global variables are initialized, our class instance will be constructed along with the implicit handle for the Process Monitor message interface. The handle is closed when the object is destroyed, after the program's execution ends. | ||
| - | |||
| - | Another class was declared, ProcMonLogFunc, with the purpose of highlighting when entering and leaving a function. This led to defining the following macro, which declares a ProcMonLogFunc object and passes it the name of the current function as a parameter. | ||
| - | |||
| - | <code> | ||
| - | #define DBGTRACE_FN_ () ProcMonLogFunc __my_log __ (__ FUNCTIONW__) | ||
| - | </code> | ||
| - | |||
| - | :!: Start Process Monitor and change the filter to **ProcessName contains EvenimenteProcMon**. Select the profiling button as shown below: | ||
| - | |||
| - | {{ :ep:laboratoare:ep5_butonprofiling.png?400 |}} | ||
| - | |||
| - | After running the program, the Process Monitor tool will generate a capture containing multiple details. We should notice messages such as Output: ==> Func1 and Output: <== Func1, with the associated timestamps for these events in the Time of Day column. The difference between these times indicates how long the execution took for Func1, expressed in hundreds of nanoseconds. | ||
| - | |||
| - | As it is inefficient to calculate by hand the times for each function, we can save the output in a .csv format, by going to File -> Save and choosing the "Comma-Separated Values" option. The generated file will look like this: | ||
| - | |||
| - | <code> | ||
| - | "4:42:07.1846936 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: ==>main" | ||
| - | "4:42:07.1848812 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: Acesta e logul meu 1" | ||
| - | "4:42:07.1848883 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: ==>Func1" | ||
| - | "4:42:07.1848955 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: <==Func1" | ||
| - | "4:42:07.1848990 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: ==>Func2" | ||
| - | "4:42:07.1849038 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: <==Func2" | ||
| - | "4:42:07.1849069 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: ==>Func3" | ||
| - | "4:42:07.1849105 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: <==Func3" | ||
| - | "4:42:07.1849148 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: Acesta e logul meu 2" | ||
| - | "4:42:07.1849184 PM","EvenimenteProcMon.exe","6352","Debug Output Profiling","","","Output: <==main" | ||
| - | </code> | ||
| - | |||
| - | :!: Create a simple parser in Python to find out easier the total time spent in every function. If you only want to take into account the CPU usage, you need to have logging messages before and after every I/O operation, in order to not count in their time. | ||
| - | |||
| - | ==== 03. [40p] Network Monitoring ==== | ||
| - | |||
| - | == Microsoft Network Monitoring == | ||
| - | For this reason, we are calling upon another tool developed by Microsoft. Install it, start it using "Run as administrator", and select the network interface through which the traffic is expected to pass (cable, wifi, ...). You should get a capture such as this one: | ||
| - | |||
| - | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_netmon.jpg?400 |}} | ||
| - | </spoiler> | ||
| - | |||
| - | == Wireshark == | ||
| - | As in the case of the CPU, inspecting the events taking place on the network involves some amount of work for the analyst. However, this being a simple case, you can just expand the view on the traffic generated by Winhttp.exe, and notice the request for //putty.exe//. If it is not clear why some requests are there or why they last so long, you can integrate the application that you wish to investigate with ProcessMonitor. This way you can insert logging elements to find out what request are made and how long they take. The part with timing the requests and traffic can be determined straight from Network Monitor by considering the times of the packets. For displaying all traffic on a http connection (it can also be https as long as you control the server, but this in not in the scope of this tutorial), you can use another tool, [[https://www.wireshark.org/download.html | Wireshark]]. Install Wireshark (**64bit!!!**) accepting the default settings. Start it and select the interface that you want to listen to. | ||
| - | |||
| - | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_wireshark-start.jpg?400 |}} | ||
| - | </spoiler> | ||
| - | |||
| - | Click the //Start// button and run Winhttp.exe. After Winhttp.exe stops, click the Stop button in Wireshark. | ||
| - | |||
| - | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_wireshark-captura.jpg?400 |}} | ||
| - | </spoiler> | ||
| - | |||
| - | This way you have obtained a traffic capture while winhttp.exe was running. Viewing the code for winhttp.exe, it can be noticed that it makes a request to www.sociouman-usamvb.ro. Use the ping command to get the IP address for this url. | ||
| - | |||
| - | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_findip.jpg?400 |}} | ||
| - | </spoiler> | ||
| - | |||
| - | Switching back to Wireshark, add a filter for ip.addr = 86.106.30.115 (make sure to use the IP address identified using ping command). Right click Get documents and choose Follow TCP Stream. | ||
| - | |||
| - | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_wireshark-captura2.jpg?400 |}} | ||
| - | </spoiler> | ||
| - | |||
| - | In the bottom part of the Wireshark window, at the "//Show and save data as//" option choose "Raw". Save the capture (using the "Save as" button) as "//my.pdf//". | ||
| - | |||
| - | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_wireshark-rawdata.jpg?400 |}} | ||
| - | </spoiler> | ||
| - | |||
| - | Use Notepad++ to open the my.pdf file and remove the headers as shown in the screenshot below. | ||
| - | |||
| - | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_wireshark-extractdata.jpg?400 |}} | ||
| - | </spoiler> | ||
| - | |||
| - | Save it, close Notepad++ and double-click on the newly saved file (my.pdf). | ||
| - | |||
| - | <spoiler> | ||
| - | {{ :ep:laboratoare:ep5_wireshark-extractdata-result.jpg?400 |}} | ||
| - | </spoiler> | ||
| - | |||
| - | <hidden> | ||
| - | * It was possible to obtain a valid pdf file. That means that you were able to extract the conversation data from the packet exchange. This was possible due to dealing with a http communication. Otherwise, it would have been much more complicated if https was used for the communication and you would not control the server. | ||
| - | </hidden> | ||
| - | |||
| - | |||
| - | ==== 04. [10p] Feedback ==== | ||
| - | |||
| - | :!: **Please take a minute to fill in the** [[https://forms.gle/KHMVUhNfCPoR71Ew7 | feedback form]] **for this lab**. | ||
| - | |||
| - | {{ :ep:laboratoare:ep4_logo_bitd2.png?300 |}} | ||
| - | |||
