Network Monitor Capture File Format
This document supports a publicly available release of a software program that bears the name Microsoft Network Monitor 3.1.
Information in this document, including URL and other Internet Web site references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results from the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, except for single copies for personal use, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
2006-2007 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS,
Windows, Windows Server, and Windows Vista are
either registered trademarks or trademarks of Microsoft Corporation in the
All other trademarks are property of their respective owners.
This document describes the Network Monitor capture file format. Please refer to netmon.h in the Windows SDK for details about optional structures.
The Network Monitor 2.x capture format has become the de-facto network capture file format for the Windows community.
The Network Monitor 3 application generates capture files in the Network Monitor 2.1 capture file format.
The Network Monitor 2.1 capture file format is backward-compatible with the Network Monitor 2.0 file formats but not with the Network Monitor 1.x formats.
Unlike the 1.x and 2.0 capture file formats, the 2.1 capture file format is able to store frames from one or more different MAC types.
Descriptions of network adapters that were involved in capturing frames can be stored after the capture file header in the 2.1 capture file format. Network Monitor 3 also provides an alternate mechanism to store network information such as the capturing machines' network addresses and other ipconfig information. Refer to netmon.npl in the install directory of Network Monitor 3 for details.
The capture file consists of the following sections each of which is described in detail in subsequent sections.
Capture file header,
A section full of frames of data,
A frame table containing offsets to the beginning of each frame.
Figure (Global Header, Frame Data and Frame Table in the Capture file. Note: This is a schematic diagram of how the pointers and data ARE organized, rather than a figure drawn to size)
The following is the Capture file header struct as defined in netmon.h
typedef struct _CAPTUREFILE_HEADER_VALUES
CAPTUREFILE_HEADER_VALUES;
We describe each of the above fields and their purpose below.
DWORD signature: Set to NETMON_2_0_CAPTUREFILE_SIGNATURE for Network Monitor 2.x capture file format, where NETMON_2_0_CAPTUREFILE_SIGNATURE is defined in netmon.h
o #define NETMON_2_0_CAPTUREFILE_SIGNATURE MAKE_IDENTIFIER('G', 'M', 'B', 'U')
BYTE BCDMajorVersion: The major version number for the capture file format. Set to 2 for Network Monitor 2.x format.
BYTE BCDMinorVersion: The minor version number for the capture file format. Set to 0 for Network Monitor 2.0 format, and 1 for Network Monitor 2.1 format.
WORD MacType: MAC types are used to identify the different media on which a network capture is performed. MAC types are #defined in netmon.h.
o #define MAC_TYPE_ETHERNET ( 1 )
o #define MAC_TYPE_TOKENRING ( 2 )
o #define MAC_TYPE_FDDI ( 3 )
o #define MAC_TYPE_ATM ( 4 )
o #define MAC_TYPE_1394 ( 5 )
o #define MAC_TYPE_NETMONFILTER ( FFFF )
o #define MAC_TYPE_DNS_CACHE ( FFFE )
o #define MAC_TYPE_NETWORK_INFO ( FFFD )
o #define MAC_TYPE_PAYLOAD_HEADER ( FFFC )
For file format 2.0, all the frames in a file are captured on the same media, which is indicated by the MAC type in the header. For file format 2.1, frames from multiple media can be stored in the same file. Hence, the MAC type is stored per frame. The capture header MAC type is included only for backward-compatibility with version 2.0, and is ignored (the Network Monitor 3 application currently sets this value to 1 by default).
SYSTEMTIME Timestamp: Time stamp of the first frame passed up to the Network Monitor Engine
DWORD FrameTableOffset: Offset to the frame table from the start of the capture file.
DWORD FrameTableLength: Length of frame table - used to compute number of frames = FrameTableLength/sizeof(DWORD)
DWORD UserDataOffset;
DWORD UserDataLength;
DWORD CommentDataOffset;
DWORD CommentDataLength;
DWORD StatisticsOffset;
DWORD StatisticsLength;
The above 6 DWORDS can be set to NULL. These fields are pointers to optional data. If you are not using these fields, please MEMSET them to NULL.
DWORD ConversationStatsOffset;
DWORD ConversationStatsLength;
The above 2 DWORDS can be set to NULL. These fields are pointers to optional data. If you are not using these fields, please MEMSET them to NULL.
The FrameTable can be anywhere in the file after the CAPTUREFILE_HEADER. The FrameTableOffset and the FrameTableLength members of the CAPTUREFILE_HEADER_VALUES are used to find the frame table and determine how many frames are contained in the file. The table is simply a sequential array of ULONGs that contain the offset from the start of the file to each FRAME structure within the file.
The Frame struct described below is the header for the raw bytes captured on the network. In particular, the MacFrame field is a pointer to the beginning of the raw frame data. See Figures 1 and 2 for schematic representations.
Figure (Struct Frame)
typedef struct _FRAME
FRAME;
We describe each of the above fields and their purpose below:
__int64 TimeStamp: The relative timestamp of the frame in microseconds. This is the time offset from the timestamp in the capture file header.
DWORD FrameLength: Original length of the frame
DWORD nBytesAvail: Actual number of bytes copied
BYTE MacFrame[ 1 ]: Pointer to the beginning of the raw frame data
The Network Monitor 2.1 capture file format can store frames captured on different MAC types. For each frame, the MAC type it was captured on is stored as a word at the end of the raw frame data.
*MacType = *((PWORD)&frameHeader->MacFrame[frameHeader->FrameLength]);
The MAC types are defined in Netmon.h:
o #define MAC_TYPE_ETHERNET ( 1 )
o #define MAC_TYPE_TOKENRING ( 2 )
o #define MAC_TYPE_FDDI ( 3 )
o #define MAC_TYPE_ATM ( 4 )
o #define MAC_TYPE_1394 ( 5 )
o #define MAC_TYPE_NETMONFILTER ( FFFF )
o #define MAC_TYPE_DNS_CACHE ( FFFE )
o #define MAC_TYPE_NETWORK_INFO ( FFFD )
o #define MAC_TYPE_PAYLOAD_HEADER ( FFFC )
In addition, the Network Monitor 3 application defines the 802.11 MAC type as follows:
o #define MAC_TYPE_DOT11 (6)
Nanosecond time resolution is not available
The file format is subject to change. If you intend to ship external bits based on this capture file format, please contact the Network Monitor team before doing so.
|
