Network Monitor 3.2 has arrived!

Network Monitor — Wed, 17 Sep 2008 17:32:06 GMT

I’m so excited about this release I had to commandeer Paul’s blog for the day and write about it. My

Microsoft Network Monitor 3.2 verfuegbar

Forefront & Security Blogs — Wed, 17 Sep 2008 18:38:15 GMT

Wie bereits angekündigt, befand sich die aktuelle Version des Microsoft Netzwerkmonitor seit Juni in

E’ arrivato Network Monitor 3.2

ZenIT Blog — Mon, 22 Sep 2008 15:06:36 GMT

E’ disponibilie (scaricabile da qui ) la nuova versione di Network Monitor . Il team di sviluppo ha lavorato

E’ arrivato Network Monitor 3.2

Blog Team TechNet Italia — Mon, 22 Sep 2008 15:07:00 GMT

E’ disponibilie (scaricabile da qui ) la nuova versione di Network Monitor . Il team di sviluppo ha lavorato

re: Open Source Network Monitor Parsers

Ponyo — Fri, 31 Oct 2008 09:57:48 GMT

I tried to parse NAP DHCP Enforcement SoH packet between Vista and Server 2008.

The first 255 bytes of Vendor Specific Information are parsed correctly,

however, the rest of data are not parsed.

Is this a bug of Network Monitor SoH Parser ?

If so, when will it be fixed ?

re: Open Source Network Monitor Parsers

PaulELong — Fri, 31 Oct 2008 16:40:08 GMT

I can't tell from your description, but if you can send me the capture(use the email link from this blog) OR just send me all the HEX data in the packet and I can reconstruct it.

There is a limitation with Information that is fragmented into multiple packets with in the same frame. This is something we'll need to support with the engine, we call this inner frame fragmentation. If this is the issue, there will be a limitation to parse it.

Paul

re: Open Source Network Monitor Parsers

Ponyo — Tue, 04 Nov 2008 05:25:17 GMT

Hi Paul,

Thank you for your response.

We captured NAP DHCP Enforcement packet between Vista and Server 2008.

The data size of Vendor Specific Information in DHCP REQUEST is more than 255, so the data is devided into three parts.

Private(0xFA) parts are shown as ContinueOption

and are not parsed at all.

Please see the parsed data shown below.

- VendorSpecificInformation: - Type 43

Code: Vendor specific information, 43(0x2B)

Length: 255 UINT8(s)

- VendorSpecificExtension: NAP-CoID - Type 222

Code: NAP-CoID, 222(0xDE)

Length: 130 UINT8(s)

CoID: Binary Large Object (130 Bytes)

- VendorSpecificExtension: NAP-SoH - Type 220

Code: NAP-SoH, 220(0xDC)

Length: 255 UINT8(s)

- SOH: Vendor = Microsoft, Version 2, Request

- SoHHeader:

- OuterType: 7 (0x7)

Reserved: (00..............)

OuterType: (..00000000000111) Vendor Specific

Length: 445 (0x1BD)

IANASMICode: Microsoft

InnerType: 2 (0x2)

InnerLength: 437 (0x1B5)

- SoHModeSubHeader:

- OuterType: 7 (0x7)

Reserved: (00..............)

OuterType: (..00000000000111) Vendor Specific

Length: 30 (0x1E)

IANASMICode: Microsoft

CorrelationId: Binary Large Object (24 Bytes)

IntentFlag: Request

ContentType: 0x0, MUST be set to 0

- SSoH: Microsoft, ID = 0

- SystemHealthEntityId: SystemHealthId

- Type: 2 (0x2)

Mandatory: (0...............) Optional TLV

Reserved: (.0..............)

TLVType: (..00000000000010) SystemHealthId

Length: 4 (0x4)

- SystemHealthId: Microsoft, ID = 0

VendorCode: Microsoft

Id: 0 (0x0)

- VendorSpecificAttribute: VendorSpecific

- Type: 7 (0x7)

Mandatory: (0...............) Optional TLV

Reserved: (.0..............)

TLVType: (..00000000000111) VendorSpecific

Length: 89 (0x59)

VendorID: Microsoft

- MSVendorSpecificValue: MS-Packet-Info

AttributeType: MS-Packet-Info

- MSPacketInfo: 17 (0x11)

Reserved: (000.....)

r: (...1....) Request

Vers: (....0001) 1

- MSVendorSpecificValue: MS-Machine-Inventory

AttributeType: MS-Machine-Inventory

osVersionMajor: 6 (0x6)

osVersionMinor: 0 (0x0)

osVersionBuild: 6001 (0x1771)

spVersionMajor: 1 (0x1)

spVersionMinor: 0 (0x0)

procArch: 0 (0x0)

- MSVendorSpecificValue: MS-MachineName

AttributeType: MS-MachineName

machineNameLenInBytes: 16 (0x10)

machineName: WIN-VISTA-BU-06

- MSVendorSpecificValue: MS-CorrelationId

AttributeType: MS-CorrelationId

- VendorSpecificExtension: Unknown Microsoft Extension - Type 73

Code: Unknown Microsoft Extension, 73(0x49)

Length: 245 UINT8(s)

MicrosoftUnknownExtensionValue:

?ﾃ/C6??9b?

- ContinueOption: Continuation Option

Code: Continuation Option, 250(0xFA)

Length: 255 UINT8(s)

ContinueBlob: :4????

- ContinueOption: Continuation Option

Code: Continuation Option, 250(0xFA)

Length: 75 UINT8(s)

ContinueBlob: U

- End:

Code: End of Options, 255(0xFF)

HEX Dump of Vendor specific Information

0160 79 f9 2b 2b ff de 82 7b 00 34 00 39 00 46 00 35 y.++...{.4.9.F.5

0170 00 30 00 41 00 45 00 41 00 2d 00 38 00 33 00 32 .0.A.E.A.-.8.3.2

0180 00 46 00 2d 00 34 00 33 00 33 00 36 00 2d 00 41 .F.-.4.3.3.6.-.A

0190 00 45 00 44 00 42 00 2d 00 33 00 39 00 36 00 32 .E.D.B.-.3.9.6.2

01a0 00 42 00 39 00 30 00 41 00 31 00 32 00 33 00 46 .B.9.0.A.1.2.3.F

01b0 00 7d 00 20 00 2d 00 20 00 32 00 30 00 30 00 38 .}. .-. .2.0.0.8

01c0 00 2d 00 31 00 30 00 2d 00 33 00 30 00 20 00 30 .-.1.0.-.3.0. .0

01d0 00 32 00 3a 00 31 00 30 00 3a 00 33 00 36 00 2e .2.:.1.0.:.3.6..

01e0 00 39 00 38 00 39 00 5a 00 dc ff 00 07 01 bd 00 .9.8.9.Z........

01f0 00 01 37 00 02 01 b5 00 07 00 1e 00 00 01 37 49 ..7...........7I

0200 f5 0a ea 83 2f 43 36 ae db 39 62 b9 0a 12 3f 01 ..../C6..9b...?.

0210 c9 3a 34 b2 d6 b8 d4 01 00 00 02 00 04 00 01 37 .:4............7

0220 00 00 07 00 59 00 00 01 37 03 11 01 00 00 00 06 ....Y...7.......

0230 00 00 00 00 00 00 17 71 00 01 00 00 00 00 05 00 .......q........

0240 10 57 49 4e 2d 56 49 53 54 41 2d 42 55 2d 30 36 .WIN-VISTA-BU-06

0250 00 06 49 f5 0a ea 83 2f 43 36 ae db 39 62 b9 0a ..I..../C6..9b..

0260 12 3f 01 c9 fa ff 3a 34 b2 d6 b8 d4 02 00 09 ff .?....:4........

0270 ff ff ff ff ff ff ff 00 01 00 08 de ca fb ad 01 ................

0280 00 02 00 04 00 01 37 80 00 07 00 08 00 01 37 80 ......7.......7.

0290 09 00 00 00 00 07 00 08 00 01 37 80 01 00 06 00 ..........7.....

02a0 00 08 00 01 00 00 0a 00 24 4d 00 49 00 43 00 52 ........$M.I.C.R

02b0 00 4f 00 53 00 4f 00 46 00 54 00 20 00 50 00 52 .O.S.O.F.T. .P.R

02c0 00 4f 00 44 00 55 00 43 00 54 00 00 00 00 0b 00 .O.D.U.C.T......

02d0 04 00 00 00 06 00 08 00 01 01 00 0a 00 26 53 00 .............&S.

02e0 79 00 6d 00 61 00 6e 00 74 00 65 00 fa c2 63 00 y.m.a.n.t.e...c.

02f0 20 00 41 00 6e 00 74 00 69 00 56 00 69 00 72 00 .A.n.t.i.V.i.r.

0300 75 00 73 00 00 00 00 0b 00 04 00 00 00 03 00 08 u.s.............

0310 00 01 02 00 0a 00 26 53 00 79 00 6d 00 61 00 6e ......&S.y.m.a.n

0320 00 74 00 65 00 63 00 20 00 41 00 6e 00 74 00 69 .t.e.c. .A.n.t.i

0330 00 56 00 69 00 72 00 75 00 73 00 00 00 00 0b 00 .V.i.r.u.s......

0340 04 00 00 00 03 00 0a 00 24 4d 00 49 00 43 00 52 ........$M.I.C.R

0350 00 4f 00 53 00 4f 00 46 00 54 00 20 00 50 00 52 .O.S.O.F.T. .P.R

0360 00 4f 00 44 00 fa 4b 55 00 43 00 54 00 00 00 00 .O.D..KU.C.T....

0370 0b 00 04 00 00 00 05 00 08 00 01 03 00 0b 00 04 ................

0380 00 00 00 04 00 08 00 01 04 00 0b 00 04 00 ff 00 ................

0390 05 00 07 00 08 00 01 37 80 bc 10 32 00 00 07 00 .......7...2....

03a0 05 00 01 37 80 00 00 07 00 08 00 01 37 80 00 00 ...7........7...

03b0 02 00 ff ...

re: Open Source Network Monitor Parsers

PaulELong — Wed, 05 Nov 2008 00:44:30 GMT

This is exactly the issue I mentioned above. DHCP splits up a payload into fragments in the same packet. This type of fragmentation can't be handled by our engine today.

It is something on our radar, but it's difficult to say when there will be a built in solution.

It would be possible to use the NMAPI in NM3.2 to put together the packets and create a new frame or possibly modify the current frame. If you are interested, let me know and I can send you more specifics.

Thanks,

Paul