Open Source Network Monitor Parsers

Open Source Network Monitor Parsers

  • Comments 10
  • Likes

With the release of Network Monitor 3.2 we plan to do all of our parser development as an open source project on http://www.codeplex.com/NMParsers. We will be releasing parser packages for Microsoft Protocols on a regular schedule. All parser issues will be tracked, assigned, and fixed on CodePlex first. Then on a regular schedule, we will post a new installer package which will update your NM3.2 parsers.

Open Documentation = Open Parsers

In the beginning of this year we released the documentation of all the Windows Protocols on http://msdn.microsoft.com/en-us/library/cc216517.aspx. With NM3.2, we have also created parsers for most of the released protocol documentation. And as time passes, we will continue to update the released parsers as well as introduce new parsers.

3rd Party Development Welcome

So now it’s your turn to contribute. If you see a problem with a parser or decide that there’s a better way to describe the data, you can file an Issue Report against the parser and track it through CodePlex. If the change is implemented, the next install of the Microsoft Parsers will contain your change. You will also have access to the latest version of the NPL if you want to integrate it manually.

Also, if there’s a parser you want to share with the community, you can share your parsers here as well. We will be providing information on how to build a parser package as well as providing guidance on how to test your parsers. And the main project page will be updated to list all available packages.

Stay Tuned

Since the parsers will release with NM3.2 as well, the first release of a parser only package will happen sometime soon after. We are currently shooting for a monthly release cycle. You should see the first parser package posted in October 2008. Stay tuned to that site for updates and announcements.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • I’m so excited about this release I had to commandeer Paul’s blog for the day and write about it. My

  • Wie bereits angekündigt, befand sich die aktuelle Version des Microsoft Netzwerkmonitor seit Juni in

  • E’ disponibilie (scaricabile da qui ) la nuova versione di Network Monitor . Il team di sviluppo ha lavorato

  • E’ disponibilie (scaricabile da qui ) la nuova versione di Network Monitor . Il team di sviluppo ha lavorato

  • I tried to parse NAP DHCP Enforcement SoH packet between Vista and Server 2008.

    The first 255 bytes of Vendor Specific Information are parsed correctly,

    however, the rest of data are not parsed.

    Is this a bug of Network Monitor SoH Parser ?

    If so, when will it be fixed ?

  • I can't tell from your description, but if you can send me the capture(use the email link from this blog) OR just send me all the HEX data in the packet and I can reconstruct it.

    There is a limitation with Information that is fragmented into multiple packets with in the same frame.  This is something we'll need to support with the engine, we call this inner frame fragmentation.  If this is the issue, there will be a limitation to parse it.

    Paul

  • Hi Paul,

    Thank you for your response.

    We captured NAP DHCP Enforcement packet between Vista and Server 2008.

    The data size of Vendor Specific Information in DHCP REQUEST is more than 255, so the data is devided into three parts.

    Private(0xFA) parts are shown as ContinueOption

    and are not parsed at all.

    Please see the parsed data shown below.

     - VendorSpecificInformation:  - Type 43

        Code: Vendor specific information, 43(0x2B)

        Length: 255 UINT8(s)

      - VendorSpecificExtension: NAP-CoID - Type 222

         Code: NAP-CoID, 222(0xDE)

         Length: 130 UINT8(s)

         CoID: Binary Large Object (130 Bytes)

      - VendorSpecificExtension: NAP-SoH - Type 220

         Code: NAP-SoH, 220(0xDC)

         Length: 255 UINT8(s)

       - SOH: Vendor = Microsoft, Version 2, Request

        - SoHHeader:

         - OuterType: 7 (0x7)

            Reserved:   (00..............)

            OuterType: (..00000000000111) Vendor Specific

           Length: 445 (0x1BD)

           IANASMICode: Microsoft

           InnerType: 2 (0x2)

           InnerLength: 437 (0x1B5)

        - SoHModeSubHeader:

         - OuterType: 7 (0x7)

            Reserved:   (00..............)

            OuterType: (..00000000000111) Vendor Specific

           Length: 30 (0x1E)

           IANASMICode: Microsoft

           CorrelationId: Binary Large Object (24 Bytes)

           IntentFlag: Request

           ContentType: 0x0, MUST be set to 0

        - SSoH: Microsoft, ID = 0

         - SystemHealthEntityId: SystemHealthId

          - Type: 2 (0x2)

             Mandatory: (0...............) Optional TLV

             Reserved:  (.0..............)

             TLVType:    (..00000000000010) SystemHealthId

            Length: 4 (0x4)

          - SystemHealthId: Microsoft, ID = 0

             VendorCode: Microsoft

             Id: 0 (0x0)

         - VendorSpecificAttribute: VendorSpecific

          - Type: 7 (0x7)

             Mandatory: (0...............) Optional TLV

             Reserved:  (.0..............)

             TLVType:    (..00000000000111) VendorSpecific

            Length: 89 (0x59)

            VendorID: Microsoft

          - MSVendorSpecificValue: MS-Packet-Info

             AttributeType: MS-Packet-Info

           - MSPacketInfo: 17 (0x11)

              Reserved: (000.....)

              r:      (...1....) Request

              Vers:   (....0001) 1

          - MSVendorSpecificValue: MS-Machine-Inventory

             AttributeType: MS-Machine-Inventory

             osVersionMajor: 6 (0x6)

             osVersionMinor: 0 (0x0)

             osVersionBuild: 6001 (0x1771)

             spVersionMajor: 1 (0x1)

             spVersionMinor: 0 (0x0)

             procArch: 0 (0x0)

          - MSVendorSpecificValue: MS-MachineName

             AttributeType: MS-MachineName

             machineNameLenInBytes: 16 (0x10)

             machineName: WIN-VISTA-BU-06

          - MSVendorSpecificValue: MS-CorrelationId

             AttributeType: MS-CorrelationId

      - VendorSpecificExtension: Unknown Microsoft Extension - Type 73

         Code: Unknown Microsoft Extension, 73(0x49)

         Length: 245 UINT8(s)

         MicrosoftUnknownExtensionValue:

    ?テ/C6??9b?

    ??

     - ContinueOption: Continuation Option

        Code: Continuation Option, 250(0xFA)

        Length: 255 UINT8(s)

        ContinueBlob: :4????

     - ContinueOption: Continuation Option

        Code: Continuation Option, 250(0xFA)

        Length: 75 UINT8(s)

        ContinueBlob: U

     - End:

        Code: End of Options, 255(0xFF)

    HEX Dump of Vendor specific Information

    0160  79 f9 2b 2b ff de 82 7b 00 34 00 39 00 46 00 35   y.++...{.4.9.F.5

    0170  00 30 00 41 00 45 00 41 00 2d 00 38 00 33 00 32   .0.A.E.A.-.8.3.2

    0180  00 46 00 2d 00 34 00 33 00 33 00 36 00 2d 00 41   .F.-.4.3.3.6.-.A

    0190  00 45 00 44 00 42 00 2d 00 33 00 39 00 36 00 32   .E.D.B.-.3.9.6.2

    01a0  00 42 00 39 00 30 00 41 00 31 00 32 00 33 00 46   .B.9.0.A.1.2.3.F

    01b0  00 7d 00 20 00 2d 00 20 00 32 00 30 00 30 00 38   .}. .-. .2.0.0.8

    01c0  00 2d 00 31 00 30 00 2d 00 33 00 30 00 20 00 30   .-.1.0.-.3.0. .0

    01d0  00 32 00 3a 00 31 00 30 00 3a 00 33 00 36 00 2e   .2.:.1.0.:.3.6..

    01e0  00 39 00 38 00 39 00 5a 00 dc ff 00 07 01 bd 00   .9.8.9.Z........

    01f0  00 01 37 00 02 01 b5 00 07 00 1e 00 00 01 37 49   ..7...........7I

    0200  f5 0a ea 83 2f 43 36 ae db 39 62 b9 0a 12 3f 01   ..../C6..9b...?.

    0210  c9 3a 34 b2 d6 b8 d4 01 00 00 02 00 04 00 01 37   .:4............7

    0220  00 00 07 00 59 00 00 01 37 03 11 01 00 00 00 06   ....Y...7.......

    0230  00 00 00 00 00 00 17 71 00 01 00 00 00 00 05 00   .......q........

    0240  10 57 49 4e 2d 56 49 53 54 41 2d 42 55 2d 30 36   .WIN-VISTA-BU-06

    0250  00 06 49 f5 0a ea 83 2f 43 36 ae db 39 62 b9 0a   ..I..../C6..9b..

    0260  12 3f 01 c9 fa ff 3a 34 b2 d6 b8 d4 02 00 09 ff   .?....:4........

    0270  ff ff ff ff ff ff ff 00 01 00 08 de ca fb ad 01   ................

    0280  00 02 00 04 00 01 37 80 00 07 00 08 00 01 37 80   ......7.......7.

    0290  09 00 00 00 00 07 00 08 00 01 37 80 01 00 06 00   ..........7.....

    02a0  00 08 00 01 00 00 0a 00 24 4d 00 49 00 43 00 52   ........$M.I.C.R

    02b0  00 4f 00 53 00 4f 00 46 00 54 00 20 00 50 00 52   .O.S.O.F.T. .P.R

    02c0  00 4f 00 44 00 55 00 43 00 54 00 00 00 00 0b 00   .O.D.U.C.T......

    02d0  04 00 00 00 06 00 08 00 01 01 00 0a 00 26 53 00   .............&S.

    02e0  79 00 6d 00 61 00 6e 00 74 00 65 00 fa c2 63 00   y.m.a.n.t.e...c.

    02f0  20 00 41 00 6e 00 74 00 69 00 56 00 69 00 72 00    .A.n.t.i.V.i.r.

    0300  75 00 73 00 00 00 00 0b 00 04 00 00 00 03 00 08   u.s.............

    0310  00 01 02 00 0a 00 26 53 00 79 00 6d 00 61 00 6e   ......&S.y.m.a.n

    0320  00 74 00 65 00 63 00 20 00 41 00 6e 00 74 00 69   .t.e.c. .A.n.t.i

    0330  00 56 00 69 00 72 00 75 00 73 00 00 00 00 0b 00   .V.i.r.u.s......

    0340  04 00 00 00 03 00 0a 00 24 4d 00 49 00 43 00 52   ........$M.I.C.R

    0350  00 4f 00 53 00 4f 00 46 00 54 00 20 00 50 00 52   .O.S.O.F.T. .P.R

    0360  00 4f 00 44 00 fa 4b 55 00 43 00 54 00 00 00 00   .O.D..KU.C.T....

    0370  0b 00 04 00 00 00 05 00 08 00 01 03 00 0b 00 04   ................

    0380  00 00 00 04 00 08 00 01 04 00 0b 00 04 00 ff 00   ................

    0390  05 00 07 00 08 00 01 37 80 bc 10 32 00 00 07 00   .......7...2....

    03a0  05 00 01 37 80 00 00 07 00 08 00 01 37 80 00 00   ...7........7...

    03b0  02 00 ff                                          ...

  • This is exactly the issue I mentioned above. DHCP splits up a payload into fragments in the same packet.  This type of fragmentation can't be handled by our engine today.

    It is something on our radar, but it's difficult to say when there will be a built in solution.

    It would be possible to use the NMAPI in NM3.2 to put together the packets and create a new frame or possibly modify the current frame.  If you are interested, let me know and I can send you more specifics.

    Thanks,

    Paul

  • thanks

  • thanks