Skip to content

Instantly share code, notes, and snippets.

@michaelgruenewald

michaelgruenewald/twp3.npl

Created May 23, 2012 08:43
Show Gist options
  • Save michaelgruenewald/2773957 to your computer and use it in GitHub Desktop.
Save michaelgruenewald/2773957 to your computer and use it in GitHub Desktop.
Download ZIP
TWP3 Protocol Parser for Microsoft Network Monitor 3
Raw
twp3.npl
// TWP3 Protocol Parser
//
// Copy this file into your Microsoft Network Monitor Parser directory
// (usually My Documents\Network Monitor 3\Parsers) and include it in
// the `my_sparser.npl` file in the same directory, by adding the
// line "include "twp3.npl". Finally make sure that the latter file is
// part of your parser profile.
// Auto-detect TWP3, but don't mess with other HTTP requests
[RegisterAfter(TCPPayload.WSP, TWP3, Conversation.ThisIsTWP3
||((TCP.Port == 80 || TCP.Port > 9000 && TCP.Port < 9100)
&&(AsciiString(FrameData, FrameOffset, 5) == "TWP3\n")))]
[Conversation.ThisIsTWP3 = True]
Protocol TWP3 = FormatString("%d Message(s)", Local.MessageCount)
{
[BuildConversationWithParent]
switch {
case ((FrameOffset < FrameLength)
&&(!Conversation.TWPMagicFrameNumber
||Conversation.TWPMagicFrameNumber == FrameNumber)):
_Struct {
[Conversation.TWPMagicFrameNumber = FrameNumber]
AsciiString(5) Magic;
}
}
switch {
case ((FrameOffset < FrameLength)
&&(!Conversation.TWPProtocolIdFrameNumber
||Conversation.TWPProtocolIdFrameNumber == FrameNumber)):
_Struct {
[Conversation.TWPProtocolIdFrameNumber = FrameNumber]
TWP3Field ProtocolId;
}
}
[Local.MessageCount = 0]
While [FrameOffset < FrameLength]
{
[Local.MessageCount = Local.MessageCount + 1]
TWP3Message Message;
}
}
Struct TWP3Message = FormatString("Message %d", Tag - 4)
{
UINT8 Tag;
TWP3Fields Fields;
}
Struct TWP3Fields = FormatString("%d Field(s)", Local.FieldCount)
{
[Property.EOC = False]
[Post.Property.EOC = False]
[Local.FieldCount = 0]
While [Property.EOC == False] {
[Local.FieldCount = Local.FieldCount + 1]
TWP3Field Field;
}
}
Struct TWP3Field = TWP3FieldDesc(this.Tag)
{
UINT8 Tag;
switch {
case Tag == 0:
[Property.EOC = True]
_Struct { };
case Tag == 1:
_Struct { };
case Tag == 2:
_Struct { TWP3Fields Value; }
case Tag == 3:
_Struct { TWP3Fields Value; }
case (Tag >= 4) AND (Tag <= 11):
_Struct { TWP3Field Value };
case Tag == 13:
_Struct { INT8 Value; }
case Tag == 14:
_Struct { INT32 Value; }
case Tag == 15:
_Struct {
UINT8 BinaryLength;
BLOB(BinaryLength) Value;
}
case Tag == 16:
_Struct {
UINT32 BinaryLength;
BLOB(BinaryLength) Value;
}
case (Tag >= 17) AND (Tag <= 126):
_Struct {
[ByteOrder = 0]
BLOB(Tag - 17) Value = FormatString("%u byte string: %s", Tag - 17, String(this, 0, 2));
}
case Tag == 127:
_Struct {
UINT8 StringLength;
[ByteOrder = 0]
BLOB(StringLength) Value = FormatString("%u byte string: %s", StringLength, String(this, 0, 2));
}
case (Tag >= 128) AND (Tag <= 159):
case (Tag >= 160) AND (Tag <= 255):
_Struct {
UINT32 ApplicationLength;
BLOB(ApplicationLength) Value;
}
}
}
Table TWP3FieldDesc(Tag) {
switch {
case Tag == 0: "End Of Content";
case Tag == 1: "Omitted Optional Field";
case Tag == 2: "Struct";
case Tag == 3: "Sequence";
case (Tag >= 4) AND (Tag <= 11):
FormatString("Message/Union Alternative %u", Tag-4);
case Tag == 12: "Registered Extension";
case Tag == 13: "Integer (Short Encoding)";
case Tag == 14: "Integer (Long Encoding)";
case Tag == 15: "Binary (Short Encoding)";
case Tag == 16: "Binary (Long Encoding)";
case (Tag >= 17) AND (Tag <= 126):
"String (Short Encoding)";
case Tag == 127:
"String (Long Encoding)";
case (Tag >= 128) AND (Tag <= 159):
"(Reserved)";
case (Tag >= 160) AND (Tag <= 255):
"Application Data";
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment