Here’s a quick analysis of what the RPC traffic a collector monitoring a single “normal” Windows server (~70 WMI collection tasks) should look like, from the perspective of open/closed TCP connections for services on both the collector end and the host end.
Data Collection
On the Local Collector
- A Windows collector that is monitoring a host with a ‘normal’ amount of WMI-collection tasks will stably maintain about 3-4 outbound on the svchost.exe process (RPC EMAP via ephemeral port on collector > 135 TCP on host) during each collection task poll cycle.
-
Depending on the number of datasources you are monitoring, this will shoot off every 5-20 seconds or so, and should correspond to your HostStatus-idleInterval measurement.
After this, these ephemeral port connections get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period. - 6-18 of these connections can pool up in a TIME_WAIT state at any given time.
- Additionally, you may see 1-10 ephemeral local port connections > remote ephemeral port constantly maintained by sbwinproxy.exe > host’s svchost.exe.
On the Local Host
- A Windows host that is being monitored with a ‘normal’ amount of WMI-collection tasks will stably maintain about 1 connection on the svchost.exe (RPC EMAP via 135 TCP on host > ephemeral port on collector) during each collection task poll cycle.
-
Depending on the number of datasources you are monitoring, this will shoot off every 5-20 seconds or so, and should correspond to your HostStatus-idleInterval measurement.
After this, these ephemeral port connections get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period. -
A ‘normal’ Windows host can pool up about 6-18 of these TIME_WAIT connections at any given time.
A - Additionally, you may see 1-10 ephemeral port connections port constantly maintained by svchost.exe > collector’s svchost.exe
Active Discovery
On the Local Collector
- A Windows host that is being monitored with a ‘normal’ amount of WMI-collection tasks will generate ~10 quick svchost.exe (RPC EMAP) connections via ephemeral port > 135 TCP, and immediately get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
- After several collection tasks, a steady-state is reached, and the number of ephemeral connections in TIME_WAIT state will drop to 3-4.
- Additionally, java.exe will make an outbound connection.
On the Local Host
- A Windows host that is being monitored with a ‘normal’ amount of WMI-collection tasks will generate ~20-30 quick svchost.exe (RPC EMAP) connections via 135 TCP > ephemeral port, and immediately get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
- After several collection tasks, a steady-state is reached, and the number of ephemeral connections in TIME_WAIT state will drop to 6-18.
