Wireshark-bugs: [Wireshark-bugs] [Bug 10556] Wireshark can't open netmon files from Microsoft Me
Comment # 5
on bug 10556
from Francesco Pretto
Ok, I already got an answer from Message Analyzer developers [1]. They state it
was maybe a mistake to use type 134 for their "virtual" frame and they request
feedback to choose a better id, if needed. You may want to reply them there?
Also they point how to find the specification of the frame type that could
probably probably called "WFPCapture". Without installing Message Analyzer, you
can just download MessageAnalyzer64.msi from [2]. After you can uncompress the
plain text parser also in linux with 7-zip in command line:
---------------------------------
$ 7z e MessageAnalyzer64.msi _7bb0731df3dd39478605b2d018601589
$ mv _7bb0731df3dd39478605b2d018601589 WFPCapture.opn
---------------------------------
The description language used is understandable, but not completly trivial, for
example:
---------------------------------
endpoint WFPFrame[binary Address]
accepts MessageV4
accepts MessageV6
accepts Message2V4
accepts Message2V6
accepts AuthMessageV4
accepts AuthMessageV6
accepts DriverInfo
accepts CalloutInfo
accepts CalloutNotifyInfo
accepts DriverError
accepts CalloutError
accepts Discard;
message MessageV4
{
IPv4Address SourceAddress with Visualization{AliasName = "Address"};
IPv4Address DestinationAddress with Visualization{AliasName = "Address"};
byte Protocol;
short PayloadLength;
binary Payload;
[...]
---------------------------------
And the Payload of MessageV4 can be effectively the "header" of a IPV4 packet
as defined in Network Monitor 3.4 format.
[1]
https://social.technet.microsoft.com/Forums/en-US/e806a807-ccf2-43f4-9bac-0a2006d75c74/linklayer-frames-format-in-microsoftpefwpfmessageprovider-dumps?forum=messageanalyzer
[2]
http://download.microsoft.com/download/2/8/3/283DE38A-5164-49DB-9883-9D1CC432174D/MessageAnalyzer64.msi
You are receiving this mail because:
- You are watching all bug changes.