how to count bytes sent and received per TCP connection (system-wide)?

all, I have basically fully reverse tcpview 3.0.2 and implement the same feature as its according to what I have learnt.

tcpview use ETW for monitoring network activity.

The key APIs are StartTrace, OpenTrace, ProcessTrace.

Use the KERNEL_LOGGER_NAME and enable EVENT_TRACE_FLAG_NETWORK_TCPIP flags.

Then you can retrieve network activity data from EventCallback, then parse it as TcpIp_TypeGroup1 and other structures. According to the document, these structures are only supported from vista. However you can call and use it in xp(guess from reverse) and 2003(My environment is 2003, no test on xp). Certainly you have to define all these structures by yourself.

From vista, win provides some APIs for retrieving every connections statistic information. Such as GetPerTcpConnectionEStats, GetPerUdpConnectionEStats, you can get more details from MSDN.

Also, from vista, you can use RAW Socket to finish the same work(more precise I think). Before vista, RAW Socket can't retrieve SEND packets, it's a pity.

I want to implement this function also, so I reverse tcpview 3.0.2.

I found, tcpview use a WMI performance counter MSNT_TcpIpInformation.

But MSNT_TcpIpInformation is not supported in xp and 2003 officially.

here is the description, you can reference to.http://www.scriptinternals.com/new/us/support/Internal/WMI_MSNT_TcpIpInformation.htm

by the way, MSNT_TcpIpInformation have no information about packets, so tcpview just increment sent and revd packets everytime.here is the disassemble:

CPU DisasmAddress   Hex dump          Command                                           Comments0040B41B  |.  83E8 02       SUB EAX,2                                         ; Switch (cases 2..3, 3 exits)0040B41E  |.  74 29         JE SHORT 0040B4490040B420  |.  83E8 01       SUB EAX,10040B423  |.  75 40         JNE SHORT 0040B4650040B425  |.  8B57 1C       MOV EDX,DWORD PTR DS:[EDI+1C]                     ; Case 3 of switch Tcpview.40B41B0040B428  |.  0196 90060000 ADD DWORD PTR DS:[ESI+690],EDX0040B42E  |.  119E 94060000 ADC DWORD PTR DS:[ESI+694],EBX0040B434  |.  8386 C0060000 ADD DWORD PTR DS:[ESI+6C0],10040B43B  |.  119E C4060000 ADC DWORD PTR DS:[ESI+6C4],EBX0040B441  |.  5E            POP ESI0040B442  |.  5F            POP EDI0040B443  |.  5D            POP EBP0040B444  |.  5B            POP EBX0040B445  |.  83C4 3C       ADD ESP,3C0040B448  |.  C3            RETN0040B449  |>  8B47 1C       MOV EAX,DWORD PTR DS:[EDI+1C]                     ; Case 2 of switch Tcpview.40B41B0040B44C  |.  0186 78060000 ADD DWORD PTR DS:[ESI+678],EAX0040B452  |.  119E 7C060000 ADC DWORD PTR DS:[ESI+67C],EBX0040B458  |.  8386 A8060000 ADD DWORD PTR DS:[ESI+6A8],10040B45F  |.  119E AC060000 ADC DWORD PTR DS:[ESI+6AC],EBX0040B465  |>  5E            POP ESI                                           ; Default case of switch Tcpview.40B41B0040B466  |.  5F            POP EDI

Check the WinSock LSP Sample project at http://connect.microsoft.com/WNDP/Downloads

You will find a sample in nonifslsp\sockinfo.cpp which "illustrates how to develop a layered service provider that is capable of counting all bytes transmitted through a TCP/IP socket."