1

Closed

NetMon incompletely parses the RDPESC content of a RDPEFS packet

description

I'm using:
 
Network Monitor 3.4.2350 (dated 24 June 2010)
the open-source parser package, version 3.4.2774.0001 (dated 19 Dec 2011)
 
This combination seems to incompletely parse the "RDPEFS:RDPDrDeviceIOCompletion" message. This same incomplete parsing occurs in all of the ":RDPDrDeviceIOCompletion" messages that I looked at using NetMon.
 
Here are the details with regard to parsing in the bowels of the Remote Desktop Protocol...
 
Section 2.2.1.5.5 (titled "Device Control Response (DR_CONTROL_RSP)") of the Microsoft document
"[MS-RDPEFS]: Remote Desktop Protocol: File System Virtual Channel Extension" (at http://msdn.microsoft.com/en-us/library/cc241305(v=prot.10).aspx) shows a "DeviceIoReply" field that NetMon successfully parses.
 
However, NetMon seems to ignore the following two fields, namely, "OutputBufferLength" and "OutputBuffer (variable)". The attached ".cap" file is a single network packet. The RDP data is not compressed. It contains the above two fields, but NetMon doesn't parse them. It quits parsing after the "IoStatus" field.
 
The content that is in the "OutputBuffer (variable)" field in the attached file is the "EstablishContext_Return" structure found in section 2.2.3.2 of the [MS-RDPESC]: Remote Desktop Protocol: Smart Card Virtual Channel Extension document (at http://msdn.microsoft.com/en-us/library/cc242596%28v=prot.10%29.aspx).

file attachments

Closed Sep 29, 2012 at 4:10 AM by rachelhu

comments

SteveRoss wrote Apr 2, 2012 at 5:15 PM

I've attached a screen shot of what I see in NetMon for the packet in question. Note that the "Hex Details" window shows bytes after the "IOStatus" field, but NetMon does no further parsing after the "IOStatus" field.

wrote Apr 3, 2012 at 4:59 PM

SteveRoss wrote Apr 3, 2012 at 4:59 PM

The attached file named "120330-bug-not-parsing-completely2.cap" has two packets. The first packet is the SCARD_IOCTL_ESTABLISHCONTEXT call from the Terminal Services server to the "mstsc.exe" client. The second packet is the RDPDrDeviceIOCompletion in the opposite direction. (This second packet is the same as is in the file "120330-bug-not-parsing-completely1.cap" that I attached earlier.)

wrote Apr 4, 2012 at 8:05 PM

SteveRoss wrote Apr 4, 2012 at 8:05 PM

The attached file named "120330-bug-not-parsing-completely4.cap" has four packets. The third packet is the SCARD_IOCTL_ESTABLISHCONTEXT call from the Terminal Services server to the "mstsc.exe" client. The fourth packet is the RDPDrDeviceIOCompletion in the opposite direction. NetMon correctly parses the third and fourth packets (though I think the fourth is incompletely parsed)

PaulLong wrote Apr 6, 2012 at 3:49 PM

BTW, I verified we are missing NPL code for sections 2.2.1.5.1-2.2.1.5.5 from http://msdn.microsoft.com/en-us/library/cc241334(v=prot.10).aspx.

LindaLu wrote Sep 29, 2012 at 3:33 AM

Thanks for reporting this bug to us, which has been fixed. The change ID is 76668 and the bug fixing has been inclued in Latest release build 03.04.2890.0001. If you have any question, please contact us. Thanks.

wrote Sep 29, 2012 at 4:10 AM

SteveRoss wrote Oct 1, 2012 at 5:54 PM

Linda,

Thanks for working on this issue. From where should I download the "Latest release build 03.04.2890.0001"? The parser version on the "Downloads" page (http://nmparsers.codeplex.com/releases/view/79102) is still at 3.4.2774.

Thanks,
-- Steve Ross

wrote Oct 8, 2012 at 3:06 AM

LindaLu wrote Oct 8, 2012 at 3:07 AM

You can get the Latest release build 03.04.2890.0001 from the "Downloads" page (https://connect.microsoft.com/site216/Downloads/).
PS: 120330-bug-not-parsing-completely1.cap and 120330-bug-not-parsing-completely2.cap are incomplete data, they will not be parsing successful.

Best Regards,
Linda

SteveRoss wrote Oct 9, 2012 at 4:09 PM

Linda,

Thank you. I've made some use of the new parser and it seems to work well.

-- Steve Ross

wrote Feb 22, 2013 at 12:34 AM

wrote May 16, 2013 at 12:14 PM