Network Monitor 3.4.2350 (dated 24 June 2010)
the open-source parser package, version 3.4.2774.0001 (dated 19 Dec 2011)
This combination seems to incompletely parse the "RDPEFS:RDPDrDeviceIOCompletion" message. This same incomplete parsing occurs in all of the ":RDPDrDeviceIOCompletion" messages that I looked at using NetMon.
Here are the details with regard to parsing in the bowels of the Remote Desktop Protocol...
Section 126.96.36.199.5 (titled "Device Control Response (DR_CONTROL_RSP)") of the Microsoft document
"[MS-RDPEFS]: Remote Desktop Protocol: File System Virtual Channel Extension" (at
) shows a "DeviceIoReply" field that NetMon successfully parses.
However, NetMon seems to ignore the following two fields, namely, "OutputBufferLength" and "OutputBuffer (variable)". The attached ".cap" file is a single network packet. The RDP data is not compressed. It contains the above two
fields, but NetMon doesn't parse them. It quits parsing after the "IoStatus" field.
The content that is in the "OutputBuffer (variable)" field in the attached file is the "EstablishContext_Return" structure found in section 188.8.131.52 of the [MS-RDPESC]: Remote Desktop Protocol: Smart Card Virtual Channel Extension document