Network Monitor Forum

NM 3.3 my_sparser.npl load error

Sat, 28 Nov 2009 21:52:02 Z

I've downloaded and re-installed NM 3.3 a couple times but can't get past a simple startup error. First there a generic error popup which asks me if I want to try to fix this error so I click OK. It then brings up the following lines in a grid at the bottom of the screen:

Status           Filename     Line Col Desc
0x81006018 sparser.npl   10 8     Failed to load file "my_sparser.npl"; The parameter is incorrect. _ _ (WinStatusCode=0x00000057)
0x83006030                                 Encountered errors while loading C:\documents and settings\rick\local settings\App Data\MS\NM3\sparser.npl file.

(the path in the second line used abbreviated for brevity)

The folder exists as does the sparser.npl file but NOT the my_sparser.npl file.
I've read similar posts on this and suspect its related to me being offline (at home, not on corporate LAN) and my My Documents point to a LAN drive. I tried a SUBST H: C:\ and also moving the My Documents location to C: (My Documents Properties) but the behavior remains.

The major components of my PC are: Win XP SP3, Norton EP v11, Pointsec. I'm an admin and I'm NOT using roaming profile. Below is the output of a troubleshooting command:

nmcap /displaynplpath
Netmon Command Line Capture (nmcap) 3.3.1641.0
NplIncludePath = C:\Documents and Settings\rearly\Local Settings\Application Dat
a\Microsoft\Network Monitor 3;C:\Documents and Settings\All Users\Application Da
ta\Microsoft\Network Monitor 3\NPL\Microsoft Parsers;C:\Documents and Settings\A
ll Users\Application Data\Microsoft\Network Monitor 3\NPL\Microsoft Parsers\Core
;C:\Documents and Settings\All Users\Application Data\Microsoft\Network Monitor
3\NPL\Microsoft Parsers\Common;C:\Documents and Settings\All Users\Application D
ata\Microsoft\Network Monitor 3\NPL\Microsoft Parsers\Windows\Stubs

network monitor help

Mon, 23 Nov 2009 13:18:14 Z

Hi all,

Im a newby network engineer, one of our server is sometimes very slow.
So i tried this tool but its very difficult to understand what and how it works.
Anyone can kick me in the right direction? what kind of settings i must edit so i can monitor why my server(network ) is slow?

thx for yor help!

Kind regards,

3.3 were has the realtime stats like session stats gone?

Thu, 19 Nov 2009 13:04:12 Z

Looked everywhere.

is there alternative if its been removed.

Thanks

Multicast traffic

Fri, 13 Nov 2009 14:07:24 Z

How do i capture udp and rtp multicast traffic?

With NO filters at all I get no traffic even though Wireshark reveals udp traffic.

About multithread in callback

Mon, 02 Nov 2009 11:34:37 Z

Hi paul
   Basically, I found the callback is got called one by one, yet the processing performance need us to do our own raw parse and may be, use ThreadPool in callback, and let workthread to do filter and make call back return as fast as possible.

   Howerver, when calling NmAddFrame in sub thread, hRawFrame passed from callback is a problem, it should be valid and point to a handle table in one callback, yet may got changed when next callback comes. How could I keep or dup it so that the next callback comes, it's still valid, seemingly, only simple assignment or DuplicateHandle could not work.

If keeping or duplicating hRawFrame HANDLE unavailable, may be we should write data into cap file for ourself. Jessus!

About NmConfigAdapter is callback model

Sun, 01 Nov 2009 07:44:20 Z

Hi paul
I'd like to know the callback model of NmConfigAdapter, when one frame comes the callback got called, yet the callback seemingly was called in a serialized sequence as there are not so much thread I've noticed
Are you using ThreadPool or I/O completion port inside or just enqueue every callback and process frame in a serialized mode?

Memory leak?

Tue, 03 Nov 2009 08:05:20 Z

Hi,
    As we want to process huge cap data,so I use a big loop (For example : process 10 files 10000 times) to simulate the real environment. I just do very basic operation:

for( 10000 times)
{
     (1)Open a cap file.
     (2) get raw frame count;
     (3) get every raw frame.
}

We are very sure we close every handle( rawFrame's and file's ) after we use it.

But the memory usage  begin to increase until the program throw a OutOfMemory exception : (
By the way,we've tried both in C# and C++,the result is same.
Anyone knows why? Thanks so much.

Netmon returns permissions error when I try to start a capture

Tue, 12 May 2009 06:42:58 Z

Hi there,
I have encountered an issue with Netmon 3.2 where the system program an error if I try to start a capture.

>>None of the network adapters are bound to the netmon driver
>>You may not have the rights to capture on this machine. Your account must be in the Administrators group to capture.

- I'm using WinXP.
- I've checked that my account has administrator privilages. It does.
- Netmon did not create a Netmon Users group on my system. I have created on manually and added myself, however this does not seem to have changed anything.
- I have also logged in as the system admin and tried to initiate a capture, I end up with the same issue.

Please help me troubleshoot this issue!

Many thanks,
Richard

Reassembly and broken fragments

Wed, 28 Oct 2009 19:11:55 Z

My protocol consists of small variable-length structures (which I'll call "commands"). Each command contains a field indicating its length. Frequently, commands are sent individually, so one TCP packet contains one command. Sometimes, however, numerous commands may be sent in a single TCP packet, and sometimes one command can be split over two TCP packets, so I see something like this:

PKT 1:

len1 data1 len2 data2 len3 (part of data3)

PKT 2:

(rest of data3)

My original parser just described one command, so PKT 1 is shown as containing a single command (the rest is marked as TCP.UnhandledTCPData), and PKT 2 is shown as being corrupt. Then I added a "while [FrameOffset < FrameLength]" loop around the whole thing - now PKT 1 has 3 commands, though part of the third one is missing, but PKT 2 is still corrupt.

I believe I have to use the reassembly facility to deal with this, and I found some videos here but the video on reassembly seemed to imply that this was used when one fragment was broken up into multiple TCP packets, and my problem is kind of the other way around.

How can my parser deal with this?

Pending Temporary Capture File Keep Increasing after NmStopCapture

Thu, 29 Oct 2009 22:07:07 Z

Hi,

    These days, I've heen trying to do some capture with netmon3.4 api on a machine with huge traffic, right now when I stop capture engine, surprisingly , why the "roo*.tmp" in my tmp file path still keep increasing?


    I'd like to know how netmon works when the capture engine got stopped, much thanks, buddy

How to set temporary capture file size and path with Netmon API?

Wed, 28 Oct 2009 03:28:38 Z

Using netmon API to capture traffic, there are a sequence of "roo*.tmp" files produced by netmon in my %TMP% path.

With netmon UI, I could set that temporary capture File size and path in Tools->Option->Capture tab

If I'd like to change temporary capture file size and path, how could I do with netmon API? Much thanks!

Encryption question

Wed, 21 Oct 2009 19:01:05 Z

Is there a way in Network Monitor 3.3 to display if AES encryption is happening when a client connects to a server?

How do I tell Network Monitor which packets use my protocol?

Thu, 15 Oct 2009 18:01:20 Z

I have written a parser for my UDP-based protocol, which has a port number assigned to it (say 4567). This is of course the port that my server listens on, but clients can use any client port they want, and usually specify 0 which tells the OS to choose one. If the client port is chosen to be one that matches another protocol, the other protocol parser is sometimes chosen over mine. Specifically, if the client chooses port 1701, then the packet is displayed using the L2TP protocol.

I have the following in my parser:

[RegisterBefore(UDP.Ssrp, MyProtocol, 4567)]

How can I tell it that if either the source or destination port is 4567 then always use my protocol parser?

Similarly, we have a TCP-based protocol as well, which usually uses the same port number, but doesn't have to, so it's possible that neither the client NOR the server will be using port 4567. How can I tell Network Monitor that those packets use my protocol?

Can I add plug-ins written in C/C++ that I can call from my parser?

Mon, 19 Oct 2009 19:30:12 Z

Our protocol supports encryption and compression of packets. Is it possible for a parser to make a call into a C/C++ DLL to decompress and/or decrypt the packet before parsing it? I understand that TLS packets will likely be impossible to decrypt, but we also support a proprietary protocol, and I would like to be able to display the contents of packets encrypted using that.

WLan antenna presence detection logic needed.

Tue, 27 Oct 2009 13:38:00 Z

I have a PC with Pci WLan card installed. I want to create a program to detect whether the antenna is connected or not. if possible this logic should not be dependent on the user connected to that network.

I used Wmi, msndis class. but my Vista pc these classes did not have any objects instantiated.

OS: Vista
H/w : Belkin wireless A+g dual band desktop card - F6D3000

Is it possible to analysis cap in Multi thread?

Mon, 26 Oct 2009 03:09:49 Z

As single thread to anlysis the cap files is very slowly,so I want let every file have a NetMon engine to do the anlysis ,but it seems cann't initialize the NetMon engine if I use ThreadPool in C# to do this.
Any help will be appreciate ^_^ .

Profiling an application

Fri, 23 Oct 2009 21:03:37 Z

I have a .NET windows service that does a lot of network magic (WMI, Ping, etc - the list is very long). I would like to profile, with as much ease and detail as possible, how much bandwidth the application uses in total as well each part in the code. I was pointed to microsoft network monitor.

The first big blow was that using the API or the nmcap, you cannot monitor by process. I worked arround that by trying to list the protocols that my app uses. The second problem i've hit is a performance problem. Whether i use the API or nmcap, after about half an hour of monitoring network monitor falls about 10 min behind in the parsing and has parsed arround 15 thousand frames. If i use nmcap, i then i have to reparse the file which seems to take just as much time (so if i profile for 10 hours I need 10 hours to get through the parsing). If i use the API so I just parse once, after running it for 4 hours it crashes (i guess it might be something in my code).

Is there any way to reduce the time it takes to parse? I'd be willing to sacrifice the infomration I get for performance. I'm only after a few tidbits of information, i think network monitor might be doing too much

One network interface missing

Fri, 23 Oct 2009 12:41:35 Z

Hello,

I have an annoying problem with Network Monitor. When installed (and started as administrator, otherwise it won't show any NICs), my Intel WLAN NIC is missing. I tried installing the latest drivers avaible with no result, I tried contacting Intel only to get the answer that it's not their problem because Microsoft Network Monitor is a Microsoft product.

My system is Windows 7 32 bit.

Showing custom popups

Thu, 22 Oct 2009 05:19:07 Z

Hi,

I am having a wifi connection. I am using Belkin N1 Series WIFI Router. And i need to display a popup on their PC when someone tries to access my WIFI Router, i mean if someone tries to connect to the internet through this wifi connection. Is it possible? If so please let me know how.

Born To Be Free

Creating a filter in nmcap using Conversation fields

Tue, 20 Oct 2009 20:53:10 Z

Why is this not working

C:\>nmcap /network * /Capture "Conversation.ProcessName == \"RDTabs.exe\"" /File C:\capture3.cap

The command is accepted, however, nothing is ever saved.

Can i not use Conversation fields in the filter in nmcap. The same exact filter works fine in the netmon UI. How else can i do this?

Thanks

Database Utilization Vs Network Utilization

Tue, 20 Oct 2009 17:41:03 Z

Hi Friends

I have been facing problem related to either Database Utilization or Network Utilization.

The Application Software at our end keeps freezing or becomes very slow at the peak business hours.
Although we identified a few queries that take time and we have been successful in optimizing them too. Now what's itching my head is, that whenever the application is slow the Network Utilization also goes up along with the Database Utilization.

Looking at this trend I have started thinking that may be my Database is not a culprit but there can be some Network issue due to which the application slows down as soon as the number of users increase. (we are using 1Gbps network).

How can I check if the issue is with the Database or the Network???

I want to monitor these two consistently and prove who is a culprit.

I am using SQL Server 2005.

Kindly help.

Thanks
Mayur Kashikar

How to specify filters in NMcap

Tue, 20 Oct 2009 14:14:18 Z

As in "How to reduce # of lost packets using Net mon 3.3; performance" I type command

NMCap /network * /capture 'TCP and (ContainsBin(FrameData, 2, "4C 00"))' /file out.cap:500M /DisableConversations

but I get error:
Error: '/Capture' - Invalid parameter ''TCP and (ContainsBin(FrameData, 2, 4C 00))''

And it repeates in any other cases when I try to specify any filter on all computers where I try.
Where is a mistake?

How do I write a parser to iterate through an array?

Thu, 15 Oct 2009 16:30:55 Z

I'm writing a parser for NM 3.3. First off, I must say that getting a basic parser working was very easy, so kudos on that. Anyway, my protocol contains a variable number of "sections", and each section has a section identifier within it, along with some section-specific data. I've set up the array of sections like this:

struct Section {
  UINT16 section_type
  switch( section_type ) {
     case 0 : /* section 0 data */;
     case 1 : /* section 1 data */;
     ...
  }
}

Then in the Protocol section:

UINT16 num_sections;
Section sections[num_sections];

This is working fine, but I would like the description of each packet (i.e. Protocol MyProtocol = <something>) to include the object name, which is contained in one of the sections. But the sections can occur in any order and some may or may not be present, so I can't use an array index. How can I iterate through the array of sections looking for the one with the right section number and return the string in that section?

Old NetMon 2 - How to safely uninstall

Mon, 06 Jul 2009 22:54:09 Z

One of my XP systems has an old NetMon 2 installation (which I cribbed via the .inf files). Does anyone out there know how I can safely remove it without scorching NetMon 3? It's been ages since I messed with it... I know, I could image my system and fiddle, but I thought someone might "just know"...

Dial up networking with Microsoft Networking Monitor 3.3

Tue, 13 Oct 2009 04:55:10 Z

I downloaded Microsoft Networking Monitor 3.3 thinking I could get some kind of traffic analysis on my dial up. After a successful download, I clicked the icon on my desktop to view the software and I noticed that in the networks box my dial up wasn't listed. So, I guess I didn't quite understand what I downloaded. How do I view my traffic for dial up connections?

Filter on Time of Day

Fri, 09 Oct 2009 21:28:22 Z

I was wondering if anyone could tell me whether netmon 3.3 introduced a way to filter or search on the "Time Of Day" column?

Thank you

Promiscuous mode

Sun, 11 Oct 2009 00:41:22 Z

Maybe a stupid question, but does this actually work in 3.3? I am trying to sniff UPnP packets between a media server and a media renderer, and I get nothing but the broadcast messages (which I got without promiscuous mode enabled).
Those devices are definitely communicating with each other, and we are all sharing a hub.
I remember being able to see other traffic with Netmon 3.1 a while ago (but I was monitoring different traffic then). Is there somewhere I can download older versions of netmon just in case?

Thanks,

Adrian Stephens

Lost Connection Advice

Thu, 08 Oct 2009 14:53:58 Z

I have an application that connects to a tcpip/rs422 protocol converter. The converter is attached to some electronic equipment. This application polls the equipment at the other end of the converter and receives responses from the connected equipment. This application is used in conjunction with this converter in many locations without a problem. (Over internet and intranet.) However, in an installation in Mexico we are having problems. Sometimes the connection will work for several hours and then unexplainably the connection is lost. I have found out that their WAN is supported by satellite communication which I suspect may be part of the problem. The application is running on a Windows XP SP3 computer.

I am being sent to diagnose the connection problem. I am wondering if the netmon tool would be helpful in diagnosing the problem? If so, what would I look for or what type of setup do I need to capture the information needed to diagnose the problem? I haven't used this tool before at all so I am a newbie.

Thank you.

NmApi 3.3 crashes if used dynamically

Wed, 16 Sep 2009 08:53:54 Z

Something inside NmApi.dll seems to crash everytime when unloading NPL handlers, and sometimes in the middle of packet capture in Windows Vista when the DLL is used through LoadLibrary(). This problem does not happen under Windows XP. If I link the NmApi.lib statically to the project, everything works fine. However, I really wish to use the DLL dynamically. Is there any way to get this work? Thanks.

how to use netmon to collect statistics sent /received (bytes) for running applications

Tue, 15 Sep 2009 08:16:08 Z

how to use netmon to collect statistics sent /received (bytes) from services and application running on machine

Silly Question

Mon, 21 Sep 2009 22:32:20 Z

I have a quick question. I have a computer that uses a wireless connection in our office while the other computers use our wired network. The computer that uses wireless is on the same Domain, however, none of the other computers can see it. I cannot access any network resources on the wireless computer, and cannot access the shared drive of the wireless computer from an of our wired computers. When i try to add the shared drive i get the windows error network path is invalid. Is this problem due to it being on the wireless and not an ethernet connection?

Thanks

Real-time display of ETWevents/NetEvents in Netmon 3.3

Thu, 24 Sep 2009 21:52:52 Z

Hi,
I have instrumented a component to generate ETW traces, with which I use logman to capture the traces in an .etl file. I have also written parsers with NPL to parse the trace and I can use "Open Capture" to open the .etl file and everything shows up fine.

Now, my question is, is there a way to configure NetMon to display the events in realtime instead of capturing the traces thro' .etl and opening it offline? (For example, NetMon displays realtime IP/TCP messages in the "Frame Summary" window. I would like to know if this real time display facility can be enabled for NetEvents)

Thank you.
(PS: I am in love with Netmon and NPL :))

Can't get netmon to work, because of Paser error

Thu, 21 May 2009 21:43:23 Z

hi

I have installed net monitor 3.3 onto a vista client machine and this is being used to test some exchange problems with autodiscover (as per MS engineer request).

the problem is the after the install and following the runas administrator for vista users I ge the foloowing errors.

Failed to load file "my_sparser.npl": The parameter is incorrect. (WinStatusCode=0x00000057).

"One or more erros were found while building parsers.
You may be bale to capture fromes and save them but you cannot view them until the parsers are successfully built without erros.
Do you want to fix the error(s) now?"

Then after I try and start a capture it fails to. and I get a "Invalid capture filter" error and nothing I do seems to allow capture of data.

so I'm thinking that the failed parsers load is affecting the net mon 3.3 program.

any help is welcomed.

Cheers and Regards
Brent

Network Monitor 3.3 - Missing Network Interface

Wed, 02 Sep 2009 15:47:28 Z

Hi, I've installed Microsoft Network monitor 3.3 on a PC with Windows XP SP3, my domain account is a member of the PC's administrators group. My problem is that Network Monitor 3.3 doesn't show any Network interface. So.... Is there a problem with the installation? or is a problem with drivers? or do I need a patch?

Thanks for your answer

How to monitor download problems?

Wed, 16 Sep 2009 19:30:56 Z

Hello,

I am complete newbie to this so please bear with me. I have the strangest networking problem I have come across so far and I was wondering if you can advice me if I can troubleshoot it using Network Monitor.

I have two installations of Windows XP on the same laptop both connecting using wireless connection to router and to Internet. They are both using the same versin of driver and they both are configured to use DHCP to configure IP address and DNS settings from the router. One instance works perfectly, while the other one can access and browse Internet just fine, but it cannot download any file over the wireless connection. I have tried multiple browsers and the result is always the same, the download times out. As soon as I connect the laptop to the router directly via cable, the downloads work. I have tried fresh reinstall of the OS and the behavior is the same.

At this time I am not sure where to look at so I was wondering if I can somehow use MS Network Monitor to see what is going on. I would greatly appreciate any advice what to look for when using this tool.

Track user's Internet activity in Windows Server 2008 environment

Fri, 11 Sep 2009 15:42:35 Z

What is the best method to track internet usage of users from a Windows Server 2008 environment?

API Samples: Working with LoadCapAndFilter

Wed, 09 Sep 2009 16:40:01 Z

What are the limits are the filter expressions you can extract from NM to use programmatically. Here I want to extract those wifi beacons with private broadcasts and return their SSIDs. The filter expressions are legitimate, the code compiles without warnings for /W3, but no results are returned.

//Add filter

ret = NmAddFilter(myFrameParserConfig, L

"WiFi.WiFiPayload.Beacon.Capability.Privacy == \"0x1\"" , &myHTTPFilterID);

if(ret != ERROR_SUCCESS)

{

wprintf(L

"Fail to load Add fitler, error: \n", ret);

}

//Add field

ret = NmAddField(myFrameParserConfig, L

"WiFi.WiFiPayload.Beacon.InformationElements.Option.ssid", &myHTTPFieldID);

is there diffrance for IP address and physical address

Tue, 08 Sep 2009 20:12:27 Z

hi all, when i use IPCONFIG/ALL if found only local area connection with physical address no ip address, and if i want to use ip address to connect to my merge replication through vb smartdevice application.
so what can i do to work correcally becase i have the 28037 "a request to send data to computer runnig iis failde" and yes my sqlce and server on the same computer and i can browes it.
thank you ...

No Capture on Win 7 x64

Sun, 23 Aug 2009 08:09:24 Z

Installed v3.3.1641.0 on win7 x64 ult rtm but can't get any capture.

Network Monitor runs and I can select networks and start capture, but it doesn't capture anything, no frames countet in status bar.

I had vbox, winpcap and cfosspeed installed and already deinstalled with no success.

The network monitor filter is correctly shown in the network card properties.

This is the list of the networks in network monitor:
==================================================
Friendly Name     : isatap.{F2D49D96-2995-4963-9DFC-00F0111ECF25}
Description       : Microsoft ISATAP Adapter
IPv4 Address      : None
IPv6 Address      : fe80::5efe:192.168.3.50%12
Hardware Address : 00-00-00-00-00-00
Permanent Address :
Media Type        : Tunnel
State             : Bound
==================================================

==================================================
Friendly Name     : isatap.{FF6D63D9-B0E3-4432-997C-129C7FC5A7C0}
Description       : Microsoft ISATAP Adapter #2
IPv4 Address      : None
IPv6 Address      : fe80::5efe:192.168.1.50%14
Hardware Address : 00-00-00-00-00-00
Permanent Address :
Media Type        : Tunnel
State             : Bound
==================================================

==================================================
Friendly Name     : LAN
Description       : Intel(R) PRO/1000 GT Desktop Adapter
IPv4 Address      : 192.168.3.50
IPv6 Address      : None
Hardware Address : 00-0E-0C-70-6F-99
Permanent Address :
Media Type        : Ethernet
State             : Bound
==================================================

==================================================
Friendly Name     : Local Area Connection* 11
Description       : Teredo Tunneling Pseudo-Interface
IPv4 Address      : None
IPv6 Address      : fe80::100:7f:fffe%15
Hardware Address : 00-00-00-00-00-00
Permanent Address :
Media Type        : Tunnel
State             : Bound
==================================================

==================================================
Friendly Name     : NDISWANBH
Description       : WAN Miniport
IPv4 Address      : None
IPv6 Address      : None
Hardware Address : 08-71-20-52-41-53
Permanent Address :
Media Type        : PPP
State             : Bound
==================================================

==================================================
Friendly Name     : Reusable ISATAP Interface {1A795833-8AF4-4206-B40F-B20D04F255A1}
Description       : Microsoft ISATAP Adapter #3
IPv4 Address      : None
IPv6 Address      : None
Hardware Address : 00-00-00-00-00-00
Permanent Address :
Media Type        : Tunnel
State             : Bound
==================================================

==================================================
Friendly Name     : Reusable ISATAP Interface {55C7EF19-56D1-4203-BFF0-01844EE41DF0}
Description       : Microsoft ISATAP Adapter #4
IPv4 Address      : None
IPv6 Address      : None
Hardware Address : 00-00-00-00-00-00
Permanent Address :
Media Type        : Tunnel
State             : Bound
==================================================

==================================================
Friendly Name     : WAN
Description       : Realtek RTL8168B/8111B Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
IPv4 Address      : 192.168.1.50
IPv6 Address      : fe80::c064:bccf:b1dc:91a2%11
Hardware Address : 00-1A-4D-4B-73-93
Permanent Address :
Media Type        : Ethernet
State             : Bound
==================================================

It seems that I have a problem with the Friendly Name of the "Teredo Tunneling Pseudo-Interface". On another x64 win7 its friendly name is "Teredo Tunneling Pseudo-Interface" not "Local Area Connection* 11".

winsock catalog seems correct in compare to the other system, only have additional bluetooth stuff on this system.

Any suggestion?

wireshark/winpcap worked...

NetMon 3.0 Uninstall

Wed, 19 Aug 2009 01:25:48 Z

I have NetMon 3.0 installed on a machine which I upgraded from XP to Vista to Windows 7 RTM....
I tried to unistall from the Control Panel, but the error message is "This application only runs on Windows XP and above....." and then the uninstall fails.
I tried to install 3.3 on top, (with of course the option to remove old versions). It look slike it is failing to unistall the old version for the same reason.

Are there any manual ways to unistall?

Thanks in advance.

Gord