/ Academy

WMI RPC Traffic

Share Post

Here’s a quick analysis of what the RPC traffic a collector monitoring a single “normal” Windows server (~70 WMI collection tasks) should look like, from the perspective of open/closed TCP connections for services on both the collector end and the host end.

Data Collection

On the Local Collector

  • A Windows collector that is monitoring a host with a ‘normal’ amount of WMI-collection tasks will stably maintain about 3-4 outbound on the svchost.exe process (RPC EMAP via ephemeral port on collector > 135 TCP on host) during each collection task poll cycle.
  • Depending on the number of datasources you are monitoring, this will shoot off every 5-20 seconds or so, and should correspond to your HostStatus-idleInterval measurement.
    After this, these ephemeral port connections get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
  • 6-18 of these connections can pool up in a TIME_WAIT state at any given time.
  • Additionally, you may see 1-10 ephemeral local port connections > remote ephemeral port constantly maintained by sbwinproxy.exe > host’s svchost.exe.

On the Local Host

  • A Windows host that is being monitored with a ‘normal’ amount of WMI-collection tasks will stably maintain about 1 connection on the svchost.exe (RPC EMAP via 135 TCP on host > ephemeral port on collector) during each collection task poll cycle.
  • Depending on the number of datasources you are monitoring, this will shoot off every 5-20 seconds or so, and should correspond to your HostStatus-idleInterval measurement.
    After this, these ephemeral port connections get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
  • A ‘normal’ Windows host can pool up about 6-18 of these TIME_WAIT connections at any given time.
    A
  • Additionally, you may see 1-10 ephemeral port connections port constantly maintained by svchost.exe > collector’s svchost.exe

Active Discovery 

On the Local Collector

  • A Windows host that is being monitored with a ‘normal’ amount of WMI-collection tasks will generate ~10 quick svchost.exe (RPC EMAP) connections via ephemeral port > 135 TCP, and immediately get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
  • After several collection tasks, a steady-state is reached, and the number of ephemeral connections in TIME_WAIT state will drop to 3-4.
  • Additionally, java.exe will make an outbound connection.

On the Local Host

  • A Windows host that is being monitored with a ‘normal’ amount of WMI-collection tasks will generate ~20-30 quick svchost.exe (RPC EMAP) connections via 135 TCP > ephemeral port, and immediately get sent to a TIME_WAIT state where the connection closes gracefully after a 2 MSL timeout period.
  • After several collection tasks, a steady-state is reached, and the number of ephemeral connections in TIME_WAIT state will drop to 6-18.