TCP parser

Oct 14, 2009 at 7:54 PM

Hello,

I just discoverd Network monitor after not being able to run WireShark in Window 7 and seeing a video on channel 9.

I love the idea of being able to add parsers without haveing to have a linux build environment. Anyway I started building a parser for the protocol I want by following the example. But I got stuck at the Registerxxx part. I would like to add a parser that knows how to parse data from a TCP connection to or from port 5300.

I tried 

[ RegisterBefore (TCP.SIP, MP, 5300) ]

but I got: Incomplete or unrecognized variable name 'TCP'.

What do I need to do to register my protocol?

Thank you,

 

Henk van der Meer

Oct 15, 2009 at 2:41 AM

Hi Henk,

Please try the following statement instead since the "SIP" field is declared inside TCPPayload struct:

[ RegisterBefore (TCPPayload.SIP, MP, 5300) ]

If the compiler could report an error message similar to "Unrecognized variable name 'SIP'", then I'm sure you can find the solution yourself. Unfortunately the error message is not accurate.

I will open a bug against the compiler internally to request more accurate error message. Thank you for reporting this issue.

Thanks,

Luther

Oct 15, 2009 at 6:01 AM

Hi Luther,

Thank you for replying.

I tried [ RegisterBefore (TCPPayload.SIP, MP, 5300) ], that didn't work. Then I tried [ RegisterBefore (TCP.TCPPayload.SIP, MP, 5300) ] that did work. So now I am one step further.

But because I don't really understand why it works I don't understand why it only works for part of the frames. When I look at the captured frames of one conversation then not all of them get recognized. The frames are part of one conversation so they all have the right source or destination port but only roughly half of them get recognized as being part of the MP protocol.

If it helps, there is a pattern:

TCP, MP, TCP, MP, TCP, MP, MP, TCP, MP, TCP, MP, TCP, MP, MP,

I you could help please,

 

Henk van der Meer

Oct 15, 2009 at 9:36 AM

Hi Henk,

The issue you have now is not related to the selfregistering. You have registered your own protocol successfully.

I think the ones displayed as TCP are continuation frames (It should have [Continuation to #x] displayed in summary). Could you try to press the "reassemble" button? If new frames (PayloadHeader) are generated but not get parsed correctly, you may need to add an entry in payload.npl (One line of code - case "YourProtocol": YourProtocol YourProtocol; should make it work). For more information, please refer to the discussion of "reassembly" in netmon help.

Thanks,

Luther