Wireshark-bugs: [Wireshark-bugs] [Bug 10556] Wireshark can't open netmon files from Microsoft Me
Date: Fri, 10 Oct 2014 16:48:09 +0000

Comment # 5 on bug 10556 from
Ok, I already got an answer from Message Analyzer developers [1]. They state it
was maybe a mistake to use type 134 for their "virtual" frame and they request
feedback to choose a better id, if needed. You may want to reply them there?

Also they point how to find the specification of the frame type that could
probably probably called "WFPCapture". Without installing Message Analyzer, you
can just download MessageAnalyzer64.msi from [2]. After you can uncompress the
plain text parser also in linux with 7-zip in command line:

---------------------------------
$ 7z e MessageAnalyzer64.msi _7bb0731df3dd39478605b2d018601589
$ mv _7bb0731df3dd39478605b2d018601589 WFPCapture.opn
---------------------------------

The description language used is understandable, but not completly trivial, for
example:

---------------------------------
endpoint WFPFrame[binary Address]
    accepts MessageV4
    accepts MessageV6
    accepts Message2V4
    accepts Message2V6
    accepts AuthMessageV4
    accepts AuthMessageV6
    accepts DriverInfo
    accepts CalloutInfo
    accepts CalloutNotifyInfo
    accepts DriverError
    accepts CalloutError
    accepts Discard;

message MessageV4
{
    IPv4Address   SourceAddress with Visualization{AliasName = "Address"};
    IPv4Address   DestinationAddress with Visualization{AliasName = "Address"};
    byte   Protocol;
    short  PayloadLength;
    binary Payload;

[...]
---------------------------------

And the Payload of MessageV4 can be effectively the "header" of a IPV4 packet
as defined in Network Monitor 3.4 format.

[1]
https://social.technet.microsoft.com/Forums/en-US/e806a807-ccf2-43f4-9bac-0a2006d75c74/linklayer-frames-format-in-microsoftpefwpfmessageprovider-dumps?forum=messageanalyzer
[2]
http://download.microsoft.com/download/2/8/3/283DE38A-5164-49DB-9883-9D1CC432174D/MessageAnalyzer64.msi


You are receiving this mail because:
  • You are watching all bug changes.