/ Academy

WMI RPC Traffic

Here’s a quick analysis of what the RPC traffic a collector monitoring a single “normal” Windows server (~70 WMI collection tasks) should look like, from the perspective of open/closed TCP connections for services on both the collector end and the host end.

Data Collection

On the Local Collector

  • A Windows collector that is monitoring a host with a ‘normal’ amount of WMI-collection tasks will stably maintain about 3-4 outbound on the svchost.exe process (RPC EMAP via ephemeral port on collector > 135 TCP on host) during each collection task poll cycle.
  • Depending on the number of datasources you are monitoring, this will shoot off every 5-20 seconds or so, and should correspond to your HostStatus-idleInterval measurement.
    After this, these ephemeral port connections get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
  • 6-18 of these connections can pool up in a TIME_WAIT state at any given time.
  • Additionally, you may see 1-10 ephemeral local port connections > remote ephemeral port constantly maintained by sbwinproxy.exe > host’s svchost.exe.

On the Local Host

  • A Windows host that is being monitored with a ‘normal’ amount of WMI-collection tasks will stably maintain about 1 connection on the svchost.exe (RPC EMAP via 135 TCP on host > ephemeral port on collector) during each collection task poll cycle.
  • Depending on the number of datasources you are monitoring, this will shoot off every 5-20 seconds or so, and should correspond to your HostStatus-idleInterval measurement.
    After this, these ephemeral port connections get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
  • A ‘normal’ Windows host can pool up about 6-18 of these TIME_WAIT connections at any given time.
    A
  • Additionally, you may see 1-10 ephemeral port connections port constantly maintained by svchost.exe > collector’s svchost.exe

Active Discovery 

On the Local Collector

  • A Windows host that is being monitored with a ‘normal’ amount of WMI-collection tasks will generate ~10 quick svchost.exe (RPC EMAP) connections via ephemeral port > 135 TCP, and immediately get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
  • After several collection tasks, a steady-state is reached, and the number of ephemeral connections in TIME_WAIT state will drop to 3-4.
  • Additionally, java.exe will make an outbound connection.

On the Local Host

  • A Windows host that is being monitored with a ‘normal’ amount of WMI-collection tasks will generate ~20-30 quick svchost.exe (RPC EMAP) connections via 135 TCP > ephemeral port, and immediately get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
  • After several collection tasks, a steady-state is reached, and the number of ephemeral connections in TIME_WAIT state will drop to 6-18.

More from LogicBlog

How LM Cares Is Supporting LogicMonitor’s R+DEI Initiatives
Blog / 01.19.21
How LM Cares Is Supporting LogicMonitor’s R+DEI Initiatives

LM Cares focuses on external outreach and internally supporting our LMers and our Respect, Diversity, Equity and Inclusion initiatives. See how!
What is SNMP and How Does It Work?
Blog / 01.15.21
What Is SNMP and How Does It Work?

SNMP is mainly used for the collection of data about devices, and is supported on most network equipment. Learn more about SNMP and how it works!
2020 in Review: LogicMonitor Product Advancements
Engineering / 01.12.21
2020 in Review: LogicMonitor Product Advancements

LogicMonitor had 16 product releases in 2020. Learn more about the notable capabilities that were released to advance our observability platform!
View all

Let's talk shop, shall we?

Get started