L

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Sometimes we need to analyze the last activity before Significant Event or Discontinuity. By this pattern, we mean a loose semantic collection of messages before process exit, for example. It may give some clues to further troubleshooting. In one incident, a process was suddenly exiting. Its detailed trace did not have any messages explaining that probably due to insufficient tracing coverage (Sparse Trace). Fortunately, a different external trace (from Process Monitor) was collected (Inter-Correlation), and it had LDAP network communication messages just before the thread and process exit events.

Layered Periodization

We borrowed this pattern name from historiography. This periodization⁷⁵ of software trace and log messages include individual messages, then aggregated messages from threads, then processes as wholes, and finally, individual computers (in a client-server or similar sense). We can better illustrate this graphically.

Message layer:

Thread layer (different colors correspond to different TID):

Process layer (different colors correspond to different PID):

Please note that it is also possible to have a periodization based on modules, functions, and individual messages, but it may be complicated because different threads can enter the same module or function. Here other patterns are more appropriate like Activity Region, Characteristic Message Block, and Background and Foreground Components.

Linked Messages

Sometimes we have Linked Messages through some common parameter or attribute. We can find one such example in ETW traces related to kernel process creation notifications. Here we got Adjoint Thread for module PIDNotify:

# Module PID TID Time Message
[...]
128762 PIDNotify 1260 6208 15:53:15.691 Create: ParentID 0x000004EC PID 0×000018D4
[...]
128785 PIDNotify 6356 6388 15:53:15.693 Load: ImageName DeviceHarddiskVolume1WindowsSystem32abscript.exe PID 0×000018D4
[...]
131137 PIDNotify 6356 4568 15:53:15.936 Create: ParentID 0×000018D4 PID 0×00001888
[...]
131239 PIDNotify 6280 6376 15:53:15.958 Load: ImageName DeviceHarddiskVolume1WindowsSystem32wscript.exe PID 0×00001888
[...]
132899 PIDNotify 6356 5704 15:53:16.462 Create: ParentID 0×000018D4 PID 0×00001FD0
[...]
132906 PIDNotify 8144 7900 15:53:16.464 Load: ImageName DeviceHarddiskVolume1WindowsSystem32cmd.exe PID 0×00001FD0
[...]

We see that messages 128762 and 128785 are linked by PID parameter and linked to messages 131137 and 132899 by PID - ParentID parameter relationship. Similar linkages exist for messages 131137 / 131239 and 132899 / 132906.

The following diagram illustrates this analysis pattern:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for L

Create new playlist

Sign In

Sign Up

Table of Contents for
L