IIS Log And Network Monitor Log Mapping Tips

  • Article

You may already know that IIS log is a valuable source to navigate to troubleshoot problems, and I guess you also know Network Monitor log is another priceless evidence. However, do you realize combining them is both an interesting and tough challenge? But that can provide you more information about how IIS handles incoming requests and sends out responses.

In this post, we shall analyze how HTTP GET and POST operations are realized by IIS and your web client.

HTTP GET

You may come across the following IIS log entry for a GET operation,

---- GET /test.aspx user=lexli&pass=test ----

It is easy to see that the client tries to send some data to IIS via a query string “user=lexli&pass=test”.

If you have Network Monitor log for this operation, you will see two corresponding packets,

  • a GET request from client to IIS.
  • a response from IIS to client.

So here is the first point you must understand. The IIS log entry for GET actually maps to two HTTP packets.

HTTP POST

What about such an IIS log entry? What data does it contain?

---- POST /test.aspx - ----

This time the query string is blank but the data is sent to IIS via a different way.

We must analyze the data from Network Monitor log in this case, but we shall see three packets there,

  • a POST request from client to IIS. (at time A)
  • a HTTP payload packet from client to IIS.
  • a response from IIS to client. (at time B)

It is easy to find data in the payload packet.

IIS Log Entry Date/Time Fields

It is quite interesting to notice that no matter how long your page/handler takes to process the request, the relevant IIS log entry always places the request incoming time in the date/time fields.

So if you use the following filter in Network Monitor to filter out IIS responses,

where 09:13:14 is the time field of relevant IIS log entries,

HTTP.Response.HeaderFields.Date.contains(" Thu, 15 Jan 2008 09:13:14")

You may not locate the response packets simply because the responses were sent later than that time.

Conclusion

You can know more about the communication between the clients and IIS server if you can successfully map IIS log entries to Network Monitor log entries. This post is just a start, so please dive in yourself.