I want to implement this function also, so I reverse tcpview 3.0.2.

我也想实现这个功能，所以我逆向了tcpview 3.0.2。

I found, tcpview use a WMI performance counter MSNT_TcpIpInformation.

我发现，tcpview 使用 WMI 性能计数器 MSNT_TcpIpInformation。

But MSNT_TcpIpInformation is not supported in xp and 2003 officially.

但是在 xp 和 2003 中正式不支持 MSNT_TcpIpInformation。

here is the description, you can reference to. http://www.scriptinternals.com/new/us/support/Internal/WMI_MSNT_TcpIpInformation.htm

这是描述，你可以参考。 http://www.scriptinternals.com/new/us/support/Internal/WMI_MSNT_TcpIpInformation.htm

by the way, MSNT_TcpIpInformation have no information about packets, so tcpview just increment sent and revd packets everytime. here is the disassemble:

顺便说一下，MSNT_TcpIpInformation 没有关于数据包的信息，所以 tcpview 只是每次增加发送和 revd 数据包。这是拆卸：

CPU Disasm
Address   Hex dump          Command                                           Comments
0040B41B  |.  83E8 02       SUB EAX,2                                         ; Switch (cases 2..3, 3 exits)
0040B41E  |.  74 29         JE SHORT 0040B449
0040B420  |.  83E8 01       SUB EAX,1
0040B423  |.  75 40         JNE SHORT 0040B465
0040B425  |.  8B57 1C       MOV EDX,DWORD PTR DS:[EDI+1C]                     ; Case 3 of switch Tcpview.40B41B
0040B428  |.  0196 90060000 ADD DWORD PTR DS:[ESI+690],EDX
0040B42E  |.  119E 94060000 ADC DWORD PTR DS:[ESI+694],EBX
0040B434  |.  8386 C0060000 ADD DWORD PTR DS:[ESI+6C0],1
0040B43B  |.  119E C4060000 ADC DWORD PTR DS:[ESI+6C4],EBX
0040B441  |.  5E            POP ESI
0040B442  |.  5F            POP EDI
0040B443  |.  5D            POP EBP
0040B444  |.  5B            POP EBX
0040B445  |.  83C4 3C       ADD ESP,3C
0040B448  |.  C3            RETN
0040B449  |>  8B47 1C       MOV EAX,DWORD PTR DS:[EDI+1C]                     ; Case 2 of switch Tcpview.40B41B
0040B44C  |.  0186 78060000 ADD DWORD PTR DS:[ESI+678],EAX
0040B452  |.  119E 7C060000 ADC DWORD PTR DS:[ESI+67C],EBX
0040B458  |.  8386 A8060000 ADD DWORD PTR DS:[ESI+6A8],1
0040B45F  |.  119E AC060000 ADC DWORD PTR DS:[ESI+6AC],EBX
0040B465  |>  5E            POP ESI                                           ; Default case of switch Tcpview.40B41B
0040B466  |.  5F            POP EDI

all, I have basically fully reverse tcpview 3.0.2 and implement the same feature as its according to what I have learnt.

所有，我已经基本上完全反向 tcpview 3.0.2 并根据我所学到的实现与其相同的功能。

tcpview use ETWfor monitoring network activity.

tcpview 使用ETW来监控网络活动。

The key APIs are StartTrace, OpenTrace, ProcessTrace.

关键 API 是StartTrace、OpenTrace、ProcessTrace。

Use the KERNEL_LOGGER_NAME and enable EVENT_TRACE_FLAG_NETWORK_TCPIP flags.

使用 KERNEL_LOGGER_NAME 并启用 EVENT_TRACE_FLAG_NETWORK_TCPIP 标志。

Then you can retrieve network activity data from EventCallback, then parse it as TcpIp_TypeGroup1and other structures. According to the document, these structures are only supported from vista. However you can call and use it in xp(guess from reverse) and 2003(My environment is 2003, no test on xp). Certainly you have to define all these structures by yourself.

然后您可以从EventCallback检索网络活动数据，然后将其解析为TcpIp_TypeGroup1和其他结构。根据该文件，这些结构仅支持 vista。但是，您可以在 xp（从反向猜测）和 2003（我的环境是 2003 年，没有在 xp 上测试）中调用和使用它。当然，您必须自己定义所有这些结构。

From vista, win provides some APIs for retrieving every connections statistic information. Such as GetPerTcpConnectionEStats, GetPerUdpConnectionEStats, you can get more details from MSDN.

在 vista 中，win 提供了一些 API 用于检索每个连接的统计信息。比如GetPerTcpConnectionEStats、GetPerUdpConnectionEStats，可以从MSDN获取更多详细信息。

Also, from vista, you can use RAW Socket to finish the same work(more precise I think). Before vista, RAW Socket can't retrieve SEND packets, it's a pity.

此外，从 vista 中，您可以使用 RAW Socket 来完成相同的工作（我认为更精确）。在vista之前，RAW Socket无法检索SEND数据包，很遗憾。

Check the WinSock LSP Sample project at http://connect.microsoft.com/WNDP/Downloads

在http://connect.microsoft.com/WNDP/Downloads检查 WinSock LSP 示例项目

You will find a sample in nonifslsp\sockinfo.cppwhich "illustrates how to develop a layered service provider that is capable of counting all bytes transmitted through a TCP/IP socket."

您将在nonifslsp\sockinfo.cpp 中找到一个示例，其中“说明了如何开发能够计算通过 TCP/IP 套接字传输的所有字节的分层服务提供程序。”

The sysinternals version of netstat (netstatp) does this. IIRC, it uses SNMP to gather its info. Search the net and find a version you're comfortable with. The file names are netstatp.c and netstatp.h
Sysinternals no longer publishes netstatp that I am aware of.

netstat (netstatp) 的 sysinternals 版本就是这样做的。IIRC，它使用 SNMP 来收集其信息。在网络上搜索并找到您喜欢的版本。文件名是 netstatp.c 和 netstatp.h
Sysinternals 不再发布我知道的 netstatp。

You can also go hereand get tcpview and/or tcpconv one of which is available in source form.

您也可以到这里获取 tcpview 和/或 tcpconv，其中之一以源代码形式提供。

Have a look at the source code for BitMeterOS, it works on xp+. you many also want to look at TCPDump/Libpcapas well. both of these monitor network network traffic, libpcap will probably be what your after though

查看BitMeterOS的源代码，它适用于 xp+。你们很多人也想看看TCPDump/Libpcap。这两个监控网络网络流量，libpcap 可能会是你想要的

there is also Winpcap, a more windows orientated 'version', a simple tutorial on network traffic stats can be found here, you'll also be interested in thisfor filtering based on connection and thisfor the size of the raw packets.

还有Winpcap的，更面向窗口“版本”，对网络流量统计一个简单的教程，可以发现在这里，你还可以在兴趣这一用于过滤基于连接，这对于原始数据包的大小。

My best bet would be hooking the "send" API calls and recording the amount sent each time. Although this really doesn't seem worth it, I'm pretty sure it would work. Good luck!

我最好的选择是挂钩“发送”API 调用并记录每次发送的数量。虽然这看起来确实不值得，但我很确定它会起作用。祝你好运！