Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Tracking the packet tracking
We just covered a couple ways to track packets in the kernel debugger. Here’s a quick reference table to help you understand how these techniques fit into your toolbelt.
| !ndiskd.pendingnbls | !ndiskd.nbl -log | |
|---|---|---|
| Documentation | Here | Here |
| Finds “lost packets” | Yes | No |
| Finds “smuggled packets” | No | Yes |
| Finds use-after-free | No | Yes |
| Loses data if ringbuffer wraps around | No | Yes |
| Number of historical events recorded | 1 | Many (depends on size of ringbuffer) |
| Records NBL ownership | Yes | Yes |
| Records NBL allocation/free | No | Yes |
| Records NBL clone/fragment | No | Yes |
| CPU performance impact | Negligible | Approx 3x CPU usage |
| Memory footprint impact | None | 32kb – 32mb, depending on RAM size |
| Enabled by default on client SKU | Yes | No |
| Enabled by default on server SKU | No | No |
| Enabled when TrackNblOwner is at least... | 1 | 3 |
| Minimum operating system version | Windows 7 SP1 orWindows Server 2008 R2 SP1 | Windows 8 orWindows Server 2012 |