microsoft
diff --git a/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo‎
2 KB b/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo‎
2 KB
diff --git a/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide‎
0 Bytes b/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide‎
0 Bytes
diff --git a/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm‎
0 Bytes b/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm‎
0 Bytes
diff --git a/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal‎
0 Bytes b/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal‎
0 Bytes
diff --git a/‎SQL_Network_Analyzer/SQLNA/ETLFileReader.cs‎
Lines changed: 1 addition & 1 deletion b/‎SQL_Network_Analyzer/SQLNA/ETLFileReader.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎SQL_Network_Analyzer/SQLNA/Parser.cs‎
Lines changed: 34 additions & 1 deletion b/‎SQL_Network_Analyzer/SQLNA/Parser.cs‎
Lines changed: 34 additions & 1 deletion
diff --git a/‎SQL_Network_Analyzer/SQLNA/Properties/AssemblyInfo.cs‎
Lines changed: 2 additions & 2 deletions b/‎SQL_Network_Analyzer/SQLNA/Properties/AssemblyInfo.cs‎
Lines changed: 2 additions & 2 deletions
@@ -176,7 +176,7 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
                 f.frameNumber = m_eventCount;
 
                 // debug code
-                //if (m_eventCount == 368198)
+                //if (m_eventCount > 94)
                 //{
                 //    Console.WriteLine();
                 //}
 
@@ -266,7 +266,19 @@ public static void ParseOneFile(string filePath, NetworkTrace t)
                         {
                             switch (frame.linkType)
                             {
-                                case 0:  // unknown - default to ethernet
+                                case 0:  // NULL/Loopback frame in WireShark, Ethernet in NETMON
+                                         // Unanswered question: if WireShark is saved as .cap, does it change the link value? NETMON won't read the NULL link layer when reading PCAP
+                                    {
+                                        if (rb is PcapNGReader || rb is SimplePCAPReader)
+                                        {
+                                            ParseNullLoopbackFrame(frame.data, 0, t, f);
+                                        }
+                                        else // ETLReader or NetMonReader
+                                        {
+                                            ParseEthernetFrame(frame.data, 0, t, f);
+                                        }
+                                        break;
+                                    }
                                 case 1:  // Ethernet
                                     {
                                         ParseEthernetFrame(frame.data, 0, t, f);
@@ -356,6 +368,7 @@ public static void ParseOneFile(string filePath, NetworkTrace t)
         //
         // .ETL NDIS Net Event                 -> Ethernet/Wifi
         // Link Type: NDIS Net Event (.CAP)    -> Ethernet/Wifi
+        // Link Type: Null/Loopback            -> IPV4/IPV6
         // Link Type: Ethernet                 -> IPV4/IPV6/VNETTag
         // Link Type: Wifi/LLC/SNAP            -> IPV4/IPV6/VNETTag
         // Link Type: Linux Cooked Capture     -> IPV4/IPV6/VNETTag
@@ -423,6 +436,26 @@ public static void ParseNextProtocol(uint ProtocolNumber, byte[] b, int offset,
             }
         }
 
+        public static void ParseNullLoopbackFrame(byte[] b, int offset, NetworkTrace t, FrameData f)
+        {
+            // NULL/Loopback - first 4 bytes could be big endian or little endian depending on computer recording the trace (BSD UNIX, mainly)
+            // 0x00000002 or 0x02000000 means IPV4 is the next protocol
+            // 24, 28, or 30 means IPV6 is the next protocol
+            // 0x00000018, 0x18000000, 0x0000001C, 0x1C000000, 0x0000001E, 0x1E000000 -> IPV6
+            // ignore all others
+
+            UInt32 NextProtocol = utility.ReadUInt32(b, offset);
+            offset += 4;
+            if (NextProtocol == 0x02000000 || NextProtocol == 0x00000002)
+            {
+                ParseIPV4Frame(b, offset, t, f);
+            }
+            else if (NextProtocol == 0x00000018 || NextProtocol == 0x18000000 || NextProtocol == 0x0000001C || NextProtocol == 0x1C000000 || NextProtocol == 0x0000001E || NextProtocol == 0x1E000000)
+            {
+                ParseIPV6Frame(b, offset, t, f);
+            }
+        }
+
         public static void ParseLinuxCookedFrame(byte[] b, int offset, NetworkTrace t, FrameData f)
         {
             UInt16 PacketType = 0;        // we just want 0=Incoming and 4=Outgoing
 
@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.5.2118.0")]
-[assembly: AssemblyFileVersion("1.5.2118.0")]
+[assembly: AssemblyVersion("1.5.2129.0")]
+[assembly: AssemblyFileVersion("1.5.2129.0")]