/// <summary> /// Used to ask and then print out extended information about a specific frame /// </summary> /// <param name="hParsedFrame">Parsed Frame</param> /// <param name="frameNumber">Frame Number to Display</param> /// <param name="command">Command Line Parameters</param> private static void PrintParsedFrameInformation(IntPtr hParsedFrame, uint frameNumber, CommandLineArguments command) { uint errno; uint ulFieldCount; string ds = "Frame #" + (frameNumber + 1); // Is Selected if (command.IsSelected(frameNumber)) { ds += " (Selected)"; } // Get Frame Timestamp ulong timestamp; errno = NetmonAPI.NmGetFrameTimeStamp(hParsedFrame, out timestamp); if (errno == ERROR_SUCCESS) { ds += " " + DateTime.FromFileTimeUtc((long)timestamp).ToString(); } else { ds += " Timestamp Couldn't be Retrieved."; } Console.WriteLine(ds); Console.Write("Print Frame Info? (y/n) "); char key = Console.ReadKey().KeyChar; Console.WriteLine(); if (key == 'y' || key == 'Y') { errno = NetmonAPI.NmGetFieldCount(hParsedFrame, out ulFieldCount); for (uint fid = 0; fid < ulFieldCount; fid++) { // Get Field Name char[] name = new char[BUFFER_SIZE * 2]; unsafe { fixed(char *pstr = name) { errno = NetmonAPI.NmGetFieldName(hParsedFrame, fid, NmParsedFieldNames.NamePath, BUFFER_SIZE * 2, pstr); } } if (errno == ERROR_SUCCESS) { Console.Write(new string(name).Replace("\0", string.Empty) + ": "); } else { Console.WriteLine("Error Retrieving Field, NmGetFieldName Returned: " + errno); continue; } // Get Field Value as displayed in Netmon UI name = new char[BUFFER_SIZE]; unsafe { fixed(char *pstr = name) { errno = NetmonAPI.NmGetFieldName(hParsedFrame, fid, NmParsedFieldNames.FieldDisplayString, BUFFER_SIZE, pstr); } } if (errno == ERROR_SUCCESS) { Console.WriteLine(new string(name).Replace("\0", string.Empty)); } else if (errno == ERROR_NOT_FOUND) { Program.PrintParsedFrameFieldValue(hParsedFrame, fid); } else { Console.WriteLine("Error Retrieving Value, NmGetFieldName Returned: " + errno); continue; } } Console.WriteLine(); } }
/// <summary> /// Prints out a field's value if the display string couldn't be found. /// </summary> /// <param name="hParsedFrame">Parsed Frame</param> /// <param name="fieldId">Field Number to Display</param> private static void PrintParsedFrameFieldValue(IntPtr hParsedFrame, uint fieldId) { NmParsedFieldInfo parsedField = new NmParsedFieldInfo(); parsedField.Size = (ushort)System.Runtime.InteropServices.Marshal.SizeOf(parsedField); uint errno = NetmonAPI.NmGetParsedFieldInfo(hParsedFrame, fieldId, parsedField.Size, ref parsedField); if (errno == ERROR_SUCCESS) { if (parsedField.NplDataTypeNameLength != 0) { char[] name = new char[BUFFER_SIZE]; unsafe { fixed(char *pstr = name) { errno = NetmonAPI.NmGetFieldName(hParsedFrame, fieldId, NmParsedFieldNames.DataTypeName, BUFFER_SIZE, pstr); } } Console.Write("(" + new string(name).Replace("\0", string.Empty) + ") "); } if (parsedField.FieldBitLength > 0) { byte number8Bit = 0; ushort number16Bit = 0; uint number32Bit = 0; ulong number64Bit = 0; ulong rl = parsedField.ValueBufferLength; switch (parsedField.ValueType) { case FieldType.VT_UI1: errno = NetmonAPI.NmGetFieldValueNumber8Bit(hParsedFrame, fieldId, out number8Bit); if (errno == ERROR_SUCCESS) { Console.WriteLine(number8Bit); } else { Console.WriteLine("Error " + errno); } break; case FieldType.VT_I1: errno = NetmonAPI.NmGetFieldValueNumber8Bit(hParsedFrame, fieldId, out number8Bit); if (errno == ERROR_SUCCESS) { Console.WriteLine((sbyte)number8Bit); } else { Console.WriteLine("Error " + errno); } break; case FieldType.VT_UI2: errno = NetmonAPI.NmGetFieldValueNumber16Bit(hParsedFrame, fieldId, out number16Bit); if (errno == ERROR_SUCCESS) { Console.WriteLine(number16Bit); } else { Console.WriteLine("Error " + errno); } break; case FieldType.VT_I2: errno = NetmonAPI.NmGetFieldValueNumber16Bit(hParsedFrame, fieldId, out number16Bit); if (errno == ERROR_SUCCESS) { Console.WriteLine((short)number16Bit); } else { Console.WriteLine("Error " + errno); } break; case FieldType.VT_UI4: errno = NetmonAPI.NmGetFieldValueNumber32Bit(hParsedFrame, fieldId, out number32Bit); if (errno == ERROR_SUCCESS) { Console.WriteLine(number32Bit); } else { Console.WriteLine("Error " + errno); } break; case FieldType.VT_I4: errno = NetmonAPI.NmGetFieldValueNumber32Bit(hParsedFrame, fieldId, out number32Bit); if (errno == ERROR_SUCCESS) { Console.WriteLine((int)number32Bit); } else { Console.WriteLine("Error " + errno); } break; case FieldType.VT_UI8: errno = NetmonAPI.NmGetFieldValueNumber64Bit(hParsedFrame, fieldId, out number64Bit); if (errno == ERROR_SUCCESS) { Console.WriteLine(number64Bit); } else { Console.WriteLine("Error " + errno); } break; case FieldType.VT_I8: errno = NetmonAPI.NmGetFieldValueNumber64Bit(hParsedFrame, fieldId, out number64Bit); if (errno == ERROR_SUCCESS) { Console.WriteLine((long)number64Bit); } else { Console.WriteLine("Error " + errno); } break; case FieldType.VT_ARRAY | FieldType.VT_UI1: byte[] byteArray = new byte[BUFFER_SIZE]; unsafe { fixed(byte *barr = byteArray) { errno = NetmonAPI.NmGetFieldValueByteArray(hParsedFrame, fieldId, BUFFER_SIZE, barr, out number32Bit); } } if (errno == ERROR_SUCCESS) { for (uint i = 0; i < number32Bit; i++) { Console.Write(byteArray[i].ToString("X2") + " "); } if ((parsedField.FieldBitLength >> 3) > number32Bit) { Console.Write(" ... " + ((parsedField.FieldBitLength >> 3) - number32Bit) + " more bytes not displayed"); } Console.WriteLine(); } else if (errno == ERROR_RESOURCE_NOT_AVAILABLE) { Console.WriteLine("The field is a container"); } break; case FieldType.VT_LPWSTR: char[] name = new char[BUFFER_SIZE]; unsafe { fixed(char *pstr = name) { errno = NetmonAPI.NmGetFieldValueString(hParsedFrame, fieldId, BUFFER_SIZE, pstr); } } if (errno == ERROR_SUCCESS) { Console.WriteLine(new string(name).Replace("\0", string.Empty)); } else { Console.WriteLine("String is too long to display"); } break; case FieldType.VT_LPSTR: Console.WriteLine("Should not occur"); break; case FieldType.VT_EMPTY: Console.WriteLine("Struct or Array types expect description"); break; default: Console.WriteLine("Unknown Type " + parsedField.ValueType); break; } } else { Console.WriteLine("Empty"); } } else { Console.WriteLine("Could Not Retrieve Parsed Field Info " + errno); } }
static void Main(string[] args) { // / / Initialize NetworkMonitor API NM_API_CONFIGURATION apiConfig = new NM_API_CONFIGURATION(); apiConfig.Size = (ushort)(System.Runtime.InteropServices.Marshal.SizeOf(apiConfig)); NetmonAPI.NmGetApiConfiguration(ref apiConfig); apiConfig.ThreadingMode = 0; NetmonAPI.NmApiInitialize(ref apiConfig); IntPtr nplPointer = IntPtr.Zero; NetmonAPI.NmLoadNplParser(null, NmNplParserLoadingOption.NmAppendRegisteredNplSets, pErrorCallBack, IntPtr.Zero, out nplPointer); // / / Initialize Frame parser IntPtr parserConfigPointer; NetmonAPI.NmCreateFrameParserConfiguration(nplPointer, pErrorCallBack, IntPtr.Zero, out parserConfigPointer); NetmonAPI.NmConfigConversation(parserConfigPointer, NmConversationConfigOption.None, true); IntPtr ParserPointer; NetmonAPI.NmCreateFrameParser(parserConfigPointer, out ParserPointer, NmFrameParserOptimizeOption.ParserOptimizeNone); // / / Parse capture file IntPtr captureFileHandle; NetmonAPI.NmOpenCaptureFile("auto.cap", out captureFileHandle); uint rawFrameCount; NetmonAPI.NmGetFrameCount(captureFileHandle, out rawFrameCount); uint frameNumber = 0; IntPtr rawFrame; NetmonAPI.NmGetFrame(captureFileHandle, frameNumber, out rawFrame); IntPtr parsedFrame; IntPtr insRawFrame; NetmonAPI.NmParseFrame(ParserPointer, rawFrame, frameNumber, NmFrameParsingOption.FieldDisplayStringRequired | NmFrameParsingOption.FieldFullNameRequired | NmFrameParsingOption.DataTypeNameRequired, out parsedFrame, out insRawFrame); uint fieldCount; NetmonAPI.NmGetFieldCount(parsedFrame, out fieldCount); uint BUFFER_SIZE = 1024; char[] name = new char[BUFFER_SIZE * 2]; unsafe { fixed(char *pstr = name) { NetmonAPI.NmGetFieldName(parsedFrame, 0, NmParsedFieldNames.NamePath, BUFFER_SIZE * 2, pstr); } } String fieldName = new String(name).Replace("\0", String.Empty); NetmonAPI.NmCloseHandle(captureFileHandle); }