I've spent the last three weeks building the Network Monitor Examples from Codeplex: http://nmexperts.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=27988. Sniffers have been pretty black box to me before this project. I was prompted to do this because Network Monitor 3.3 on 64 bit systems doesn't produce captures that can be analyzed by logparser.exe. This is good and bad. Logparser only dumped out 20 fields from netmon *.cap files. Despite the struggle, it was worth installing the latest versions (VS2008, VS2009 Express ), configuring VS C++ to work with the WDDK and the Netmon API and compiling the examples on both 32 and 64 bit systems. Microsoft has released the Netmon SDK and API to the web at codeplex.com. Network Monitor itself is a free download and the lib and header files come along for the ride. Open Parsers are part of the project, allowing the coder to create his own parsers; filters; experts.
The samples allow you to build open, close, save, filter and parse captures files and parsers. Some examples are below. This project is best done by someone unafraid of Visual Studio and the WDDK.
IterateFields.exe Test.cap 500
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\Admin\AppData\Local\Microsoft\Network Monitor 3\sparser.npb.
Iterate the fields of frame #500
Frame.WiFi (WiFi) - Offset: 0, Size: 1536
WiFi.WiFi.MetaData (WiFiMetadata) - Offset: 0, Size: 32
WiFi.WiFi.MetaData.Version (UINT8) - Offset: 0, Size: 1
WiFi.WiFi.MetaData.Length (UINT16) - Offset: 1, Size: 2
WiFi.WiFi.MetaData.OpMode (UINT32) - Offset: 3, Size: 4
WiFi.WiFi.MetaData.OpMode.StationMode (UINT32) - Offset: 3, Size: 0
WiFi.WiFi.MetaData.OpMode.APMode (UINT32) - Offset: 3, Size: 0
WiFi.WiFi.MetaData.OpMode.ExtensibleStationMode (UINT32) - Offset: 3, Size: 0
WiFi.WiFi.MetaData.OpMode.Unused (UINT32) - Offset: 3, Size: 3
WiFi.WiFi.MetaData.OpMode.MonitorMode (UINT32) - Offset: 6, Size: 0
WiFi.WiFi.MetaData.Flags (UINT32) - Offset: 7, Size: 4
WiFi.WiFi.MetaData.PhyType (UINT32) - Offset: 11, Size: 4
WiFi.WiFi.MetaData.Channel (UINT32) - Offset: 15, Size: 4
WiFi.WiFi.MetaData.lRSSI (INT32) - Offset: 19, Size: 4
WiFi.WiFi.MetaData.Rate (UINT8) - Offset: 23, Size: 1
WiFi.WiFi.MetaData.TimeStamp (FILETIME) - Offset: 24, Size: 8 ....
IterateFieldsWithDisplayFormat.exe Test.cap 500
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\Admin\AppData\Local\Microsoft\Network Monitor 3\sparser.npb.
Iterate the fields of frame #500
Field count = 92
WiFi: [Unencrypted Data] .T...., (I)
Error 1168 tryin to retreive display name for frame 499 element 1. Version: 2 (0x2)
Length: 32 (0x20)
OpMode: Extensible Station Mode
StationMode: (...............................0) Not Station Mode
APMode: (..............................0.) Not AP Mode
ExtensibleStationMode: (.............................1..) Extensible Station Mode
Unused: (.0000000000000000000000000000...)
MonitorMode: (0...............................) Monitor Mode
Flags: 4294967295 (0xFFFFFFFF)
RemData: Outbound
TimeStamp: 08/18/2009, 05:41:19 PM
FrameControl: .T.... (0x0801)
Version: (..............00) 0
Type: (............10..) Data
SubType: (........0000....) Data
DS: (......01........) STA to DS via AP
MoreFrag: (.....0..........) No
Retransmission: (....0...........) No
PowerMgt: (...0............) Active Mode
MoreData: (..0.............) No
Encrypted: (.0..............) No
Order: (0...............) Unordered....
GetFrameComments 100secwithComments.cap
Frame 1 Comment Info:
TitleByteLength: 34, Title: Test Comment 001
DescriptionByteLength: 137, Description: {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 MS Shell D
\viewkind4\uc1\pard\f0\fs17 testing...\par
}
Frame 2 has no comment info
Frame 3 has no comment info
Frame 4 has no comment info
Frame 5 has no comment info....
No comments:
Post a Comment