Can I add plug-ins written in C/C++ that I can call from my parser?

All Replies

• Tuesday, October 20, 2009 2:07 PMPaul E LongMSFT, Owner

   
  

  0

  Sign In to Vote
  We don't support plug-ins from C/C++ DLLs.  However, it is possible to take the original data, decrypt it, and output a new trace that is decrypted.  This will require you do something special with the transport layer.  Either you'll have to fix up sizes so that the underlying transport is correct, or you'll have to add a new header and potentially a new media-type to handle your reassembled data.
  
  We already have a PayloadHeader protocol that you could potentially reuse.  But if not, you can always create your own media type and Register it in Frame.npl to call your new base protocol.
  • Reply
  • Quote

   
• Friday, October 23, 2009 11:29 PMScott_Matthews

   
  

  0

  Sign In to Vote
  Can I use the Network Monitor API to do this? I have written a program in C that uses the API to read through a capture file and find the encrypted data. I can use NmAddFrame for those frames that don't contain encrypted data, but for encrypted packets, I'd like to replace the encrypted data with decrypted data (the encryption preserves length, so this should be possible)  and then write the frame to the output file. But I can't find a way to modify the data within the frame before writing it out.

  
  

  Dealing with compressed data might be more tricky, since obviously the length of the packet will be affected.
  • Reply
  • Quote

   
• Wednesday, October 28, 2009 3:50 PMPaul E LongMSFT, Owner

   
  

  0

  Sign In to Vote

  With the API you can create a raw frame from a buffer (NmBuildRawFrameFromBuffer).  So once you extract the payload you can build up a new frame and use this API to create the raw frame which you can then write to a file.
  
  The tricky part, however, is determining how to structure the frame.

  • Reply
  • Quote