ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 4221] New: Media Types for NM3.x NetmonFilter and NetworkI

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 9 Nov 2009 10:38:07 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4221

           Summary: Media Types for NM3.x NetmonFilter and NetworkInfoEx
           Product: Wireshark
           Version: 1.2.0
          Platform: All
        OS/Version: Windows 7
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: paullo@xxxxxxxxxxxxx


Build Information:
Version 1.2.0 (SVN Rev 28753)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.14.7, with GLib 2.18.4, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, without libpcre, without SMI,
without c-ares, without ADNS, with Lua 5.1, without GnuTLS, without Gcrypt,
without Kerberos, without GeoIP, with PortAudio V19-devel (built Jun 15 2009),
without AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Windows Vista, build 7600, without WinPcap.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Network Monitor 3 has added two media types for storing information about the
applied filter and Network Information.


1. Filter Frame Format

Media Type = 0xFFFF is the NetworkFilter media type.  It has a format that is
described by this NPL (which is the language of NM parsers).  All fields are
Big Endian, except where prefixed by [DataFieldByteOrder = LittleEndian].  Look
at frame 1 of the attached trace for an example.

Protocol NetmonFilter = "Updated " + FilterType.ToString + ": " + Filter
{
    UINT16 Version;
    UINT32 FilterType = this==1 ? "Capture Filter" : "Display Filter";
    UINT32 AppMajorVersion;
    UINT32 AppMinorVersion;
    [DataFieldByteOrder = LittleEndian]
    UnicodeString ApplicationName;
    [DataFieldByteOrder = LittleEndian]
    UnicodeString Filter;
}

UnicodeString is NULL terminated.

2. NetworkInfoEx Frame Format

Media Type = 0xFFFB for NetworkInfoEx.  The following NPL describes it's
format.  All fields are Big Endian, except where prefixed by
[DataFieldByteOrder = LittleEndian].  Look at frame 2 of the attached trace for
an example.


Protocol NetworkInfo = FormatString("Network info for %s, Network Adapter Count
= %d",ComputerName,AdapterCount)
{
    UINT16 AdapterCount;
    [DataFieldByteOrder = LittleEndian]
    UnicodeString ComputerName;
    [MaxLoopCount=AdapterCount, Property.NetworkAdapterInfo = "NetworkInfo"]
    while[true] {
                NetMonNetworkAdapter NetworkAdapter;
    }
}

For each adapter, there is a NetMonNetworkAdapter structure which is defined as
follows.

Struct NetMonNetworkAdapter = FormatString("%s,
%s",Property.NetworkInfoFriendlyName,Property.NetworkInfoHardwareAddr)
    {
        [DataFieldByteOrder = LittleEndian]
        UnicodeString FriendlyName;
        [DataFieldByteOrder = LittleEndian]
        UnicodeString Description;
        switch(Property.NetworkAdapterInfo)
        {
            case "NetworkInfo":
                [DataFieldByteOrder = LittleEndian]
                UnicodeString LayerName;
        }
        [DataFieldByteOrder = LittleEndian]
        UnicodeString MiniportGuid;
        UINT32 MediaType;
        UINT32 Mtu;
        UINT64 LinkSpeed = LinkSpeedTable(this);
        MacAddress HardwareAddress;
        UINT16 Ipv4AddressCount;
        UINT16 Ipv6AddressCount;
        UINT16 GatewayAddressCount;
        UINT16 DhcpServerAddressCount;
        UINT16 DnsIpv4AddressCount;
        UINT16 DnsIpv6AddressCount;
        Ipv4Address Ipv4Address[Ipv4AddressCount];
        Ipv4Address SubnetMask[Ipv4AddressCount];
        Ipv6Address Ipv6Address[Ipv6AddressCount];
        Ipv4Address GatewayAddress[GatewayAddressCount];
        Ipv4Address DhcpServerAddress[DhcpServerAddressCount];
        Ipv4Address DnsIpv4Address[DnsIpv4AddressCount];
        Ipv6Address DnsIpv6Address[DnsIpv6AddressCount];
    }

MacAddress is 6 bytes.
IPv4 is 4 bytes.
IPv6 is 16 bytes

[value] represent an array of values.

LinkSpeedTable is defined as follows:

Table LinkSpeedTable(Value)
{
    switch
    {
    case Value >= 1000 * 1000 * 1024: FormatString("%d Gbps", Value / (1000 *
1000 * 1000));
    case Value >= 1000 * 1000: FormatString("%d Mbps", Value / (1000 * 1000));
    case Value >= 1000: FormatString("%d Kbps", Value / 1000);
    default: FormatString("%d bps", Value);
    }
}

Hopefully this is straight forward enough to define the format of these frames.
 If not I can certainly add more details as required.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube