Writing a custom parser for reassembled packets

Oct 4, 2009 at 1:04 AM

Hi dev team,

Thanks for your effort in developing such a useful tool.  A customizable network sniffer has been long due.  I was trying to develop a parser for MAPI. I understand the protocol well by now. But I'm unsure about the way I can use the protocol definitions in developing a parser for netmon. I have couple of silly newbie questions:

1] I have seen in the netmon tool that the MSRPC fragments only get reassembled after you explicitly click the reassemble button.  I'm failing to understand that in this scenario, how can we define parsing code using NPL?  Unless explicitly reassembled, we will never have the full data blob for the EMSMDB layer to parse? Is there any way to indicate to netmon to begin parsing EMSMDB only after msrpc packets have been reassembled?

2] How to I force MSRPC to reassemble fragments on the fly? Is it possible to do it?

Thanks,

JD

Oct 5, 2009 at 8:32 PM

Thanks for your interest of writing NPL parsers.  For your question 1, you do not need to handle the reassembly logic in EMSMDB layer.  It is handled by MSRPC.npl (PayloadStart() triggers the reassembly).  But as you mentioned, there is no way to automatically reassemble the fragments, you have to click on the 'Reassemble' button (this is to also address your 2nd question).  Once you have done this step, the engine will reassembly all the fragments according to the 'payloadstart' logic in the parsers.  You can use the filter 'payloadHeader' to find those reassembled frames. From there, you should be able to get the complete EMSMDB frames.

Also, we don't have a parser written in the way that only be parsed when it is reassembled.  It is doable, however, but we don't understand your intention.  For EMSMDB, is it ALWAYS fragmented at MSRPC level? Otherwise, it will be quite complex to handle both fragmented and non-fragmented scenarios.