Skip to content

Commit 442005d

Browse files
SQLNA updates
Read WireShark loopback packets
1 parent 0f77142 commit 442005d

File tree

7 files changed

+37
-4
lines changed

7 files changed

+37
-4
lines changed
2 KB
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.

SQL_Network_Analyzer/SQLNA/ETLFileReader.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -176,7 +176,7 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
176176
f.frameNumber = m_eventCount;
177177

178178
// debug code
179-
//if (m_eventCount == 368198)
179+
//if (m_eventCount > 94)
180180
//{
181181
// Console.WriteLine();
182182
//}

SQL_Network_Analyzer/SQLNA/Parser.cs

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -266,7 +266,19 @@ public static void ParseOneFile(string filePath, NetworkTrace t)
266266
{
267267
switch (frame.linkType)
268268
{
269-
case 0: // unknown - default to ethernet
269+
case 0: // NULL/Loopback frame in WireShark, Ethernet in NETMON
270+
// Unanswered question: if WireShark is saved as .cap, does it change the link value? NETMON won't read the NULL link layer when reading PCAP
271+
{
272+
if (rb is PcapNGReader || rb is SimplePCAPReader)
273+
{
274+
ParseNullLoopbackFrame(frame.data, 0, t, f);
275+
}
276+
else // ETLReader or NetMonReader
277+
{
278+
ParseEthernetFrame(frame.data, 0, t, f);
279+
}
280+
break;
281+
}
270282
case 1: // Ethernet
271283
{
272284
ParseEthernetFrame(frame.data, 0, t, f);
@@ -356,6 +368,7 @@ public static void ParseOneFile(string filePath, NetworkTrace t)
356368
//
357369
// .ETL NDIS Net Event -> Ethernet/Wifi
358370
// Link Type: NDIS Net Event (.CAP) -> Ethernet/Wifi
371+
// Link Type: Null/Loopback -> IPV4/IPV6
359372
// Link Type: Ethernet -> IPV4/IPV6/VNETTag
360373
// Link Type: Wifi/LLC/SNAP -> IPV4/IPV6/VNETTag
361374
// Link Type: Linux Cooked Capture -> IPV4/IPV6/VNETTag
@@ -423,6 +436,26 @@ public static void ParseNextProtocol(uint ProtocolNumber, byte[] b, int offset,
423436
}
424437
}
425438

439+
public static void ParseNullLoopbackFrame(byte[] b, int offset, NetworkTrace t, FrameData f)
440+
{
441+
// NULL/Loopback - first 4 bytes could be big endian or little endian depending on computer recording the trace (BSD UNIX, mainly)
442+
// 0x00000002 or 0x02000000 means IPV4 is the next protocol
443+
// 24, 28, or 30 means IPV6 is the next protocol
444+
// 0x00000018, 0x18000000, 0x0000001C, 0x1C000000, 0x0000001E, 0x1E000000 -> IPV6
445+
// ignore all others
446+
447+
UInt32 NextProtocol = utility.ReadUInt32(b, offset);
448+
offset += 4;
449+
if (NextProtocol == 0x02000000 || NextProtocol == 0x00000002)
450+
{
451+
ParseIPV4Frame(b, offset, t, f);
452+
}
453+
else if (NextProtocol == 0x00000018 || NextProtocol == 0x18000000 || NextProtocol == 0x0000001C || NextProtocol == 0x1C000000 || NextProtocol == 0x0000001E || NextProtocol == 0x1E000000)
454+
{
455+
ParseIPV6Frame(b, offset, t, f);
456+
}
457+
}
458+
426459
public static void ParseLinuxCookedFrame(byte[] b, int offset, NetworkTrace t, FrameData f)
427460
{
428461
UInt16 PacketType = 0; // we just want 0=Incoming and 4=Outgoing

SQL_Network_Analyzer/SQLNA/Properties/AssemblyInfo.cs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,5 +32,5 @@
3232
// You can specify all the values or you can default the Build and Revision Numbers
3333
// by using the '*' as shown below:
3434
// [assembly: AssemblyVersion("1.0.*")]
35-
[assembly: AssemblyVersion("1.5.2118.0")]
36-
[assembly: AssemblyFileVersion("1.5.2118.0")]
35+
[assembly: AssemblyVersion("1.5.2129.0")]
36+
[assembly: AssemblyFileVersion("1.5.2129.0")]

0 commit comments

Comments
 (0)