Tracking the packet tracking
We just covered a couple ways to track packets in the kernel debugger. Here’s a quick reference table to help you understand how these techniques fit into your toolbelt.
| !ndiskd.pendingnbls | !ndiskd.nbl -log | |
|---|---|---|
| Documentation | Here | Here |
| Finds “lost packets” | Yes | No |
| Finds “smuggled packets” | No | Yes |
| Finds use-after-free | No | Yes |
| Loses data if ringbuffer wraps around | No | Yes |
| Number of historical events recorded | 1 | Many (depends on size of ringbuffer) |
| Records NBL ownership | Yes | Yes |
| Records NBL allocation/free | No | Yes |
| Records NBL clone/fragment | No | Yes |
| CPU performance impact | Negligible | Approx 3x CPU usage |
| Memory footprint impact | None | 32kb – 32mb, depending on RAM size |
| Enabled by default on client SKU | Yes | No |
| Enabled by default on server SKU | No | No |
| Enabled when TrackNblOwner is at least... | 1 | 3 |
| Minimum operating system version | Windows 7 SP1 or Windows Server 2008 R2 SP1 | Windows 8 or Windows Server 2012 |