Search results matching tag 'NETMON input format'

RE: Netmon 3 and new version of log parser

LogParser User : Ken Vizena — Thu, 07 Dec 2006 14:54:00 GMT

I know the original author has left Microsoft from previous posts. I also know that there are severe problems with non-tcp data being manipulated that is not fixed with the current version (post below this one). I am working on a perl script instead of waiting for an update.

Netmon 3 and new version of log parser

LogParser User : fred esnouf (ISA MVP) — Tue, 05 Dec 2006 16:42:00 GMT

Hi guys,

I would like to know if the team plan to release a new version of log parser especially on netmon files. I am doing a lot of network analysis, and there are some limitations ... because netmon V3 is here now, I wonder if there is a plan to update LogPArser.

Thanks

fred

libpcap => editcap => netmon v2 => log parser 2.2 => sql 2000/2005

LogParser User : Ken Vizena — Tue, 21 Nov 2006 20:23:00 GMT

We are working on a project to place internal firewalls between very busy segement of our network. We have captured several hundred gb's worth of traffic using ethereal/wireshark. We use editcap to save the file as a netmon v2 file and then use log parser 2.2 to push the converted files into SQL 2000/2005. Once the data exists within a database we right summary reports to group the traffic by sites (several).

Example (not checked for this post)-

site01: lt-tcp/1023 <=> site02: gt-tcp/1023
site01: gt-tcp/1023 <=> site02: lt-tcp/1023
site01: gt-tcp/1023 <=> site02: gt-tcp/1023
site01: lt-tcp/1023 <=> site02: lt-tcp/1023
site01: lt-tcp/1023 <=> site02: lt-tcp/1023
site01: tcp/123 <=> site02: tcp/123

gt = >
lt = <

Once we have identified all permitted traffic we then write nested acl's to have sql 2005 reporting generate our acl's automagically.

The reason I am asking this question in the forum is we have noticed that log parser does not have a protocol column. All non-tcp packets are dropped when log parser pipes the netmonv2 logs into SQL.

Txt output from capture file that includes frame/packet number 123:

o. Time Source Destination Protocol Info
123 11.394410 10.10.100.1 10.10.24.101 Syslog LOCAL4.NOTICE: %REMOVED-5-111008: User 'REMOVED' executed the 'REMOVED' command.\n

Frame 123 (116 bytes on wire, 116 bytes captured)
Ethernet II, Src: ExtremeN_10:ef:c0 (00:01:30:10:ef:c0), Dst: HewlettP_cf:b7:5b (00:13:21:cf:b7:5b)
Internet Protocol, Src: 10.10.100.1 (10.10.100.1), Dst: 10.10.24.101 (10.10.24.101)
User Datagram Protocol, Src Port: syslog (514), Dst Port: syslog (514)
Source port: syslog (514)
Destination port: syslog (514)
Length: 82
Checksum: 0xd094 [correct]
Syslog message: LOCAL4.NOTICE: %REMOVED-5-111008: User 'REMOVED' executed the 'REMOVED' command.\n

Here is the exported data after doing "C:\Program Files\Log Parser 2.2>logparser -i:NETMON -o:CSV "select * INTO NetMonOutput.csv from testing.cap"

C:\Program Files\Log Parser 2.2\testing.cap 122 11/21/2006 14:18 106 00013010EFC0 10.10.removed.removed 22 001321CFB75B 10.10.24.101 2251 4 253 AP 955091222 2910384781 8192 52 .ch.u.E{...3.....S.^.k..6x]....o...vv.o'..HR....o.N_ 1

C:\Program Files\Log Parser 2.2\testing.cap 124 11/21/2006 14:18 54 001321CFB75B 10.10.removed.removed 2251 00013010EFC0 10.10.100.1 22 4 128 A 2910384781 955091274 15732 0 1

As you can see the logparser drops any non-tcp packets when doing the output to any format when using netmon v2 (tested v1 as well with same results)

Anyone?

RE: are there any free conversion tools that can convert tcpdump or

LogParser User : Ken Vizena — Tue, 21 Nov 2006 20:04:00 GMT

If you have etehreal/wireshark you can use editcap to export to netmonv1/v2.

RE: any one know netmon file format??

LogParser User : svd — Thu, 30 Mar 2006 22:08:00 GMT

May be this will help

c:\>logparser -h -i:NETMON

Input format: NETMON (NetMon capture files)
Parses NetMon capture files

FROM syntax:

<filename> [, <filename> ...]
Path(s) to NetMon .cap capture file(s)

Parameters:

-fMode        TCPIP|TCPConn : Field mode; TCPIP: each record is a single
                               TCP/IP packet; TCPConn: each record is a
                               single TCP/IP connection [default value=TCPIP]
-binaryFormat ASC|PRINT|HEX : Format of binary fields [default value=ASC]

Fields:

CaptureFilename (S)    Frame (I)      DateTime (T)      FrameBytes (I)
SrcMAC (S)             SrcIP (S)      SrcPort (I)       DstMAC (S)
DstIP (S)              DstPort (I)    IPVersion (I)     TTL (I)
TCPFlags (S)           Seq (I)        Ack (I)           WindowSize (I)
PayloadBytes (I)       Payload (S)    Connection (I)

Examples:

Display total network traffic bytes per second:

LogParser "SELECT QUANTIZE(DateTime, 1) AS Second, SUM(FrameBytes) INTO
DATAGRID FROM myCapture.cap GROUP BY Second"

I am unable to parse L2TP cap file using LogParser

LogParser User : Bhushan — Sun, 04 Dec 2005 06:44:00 GMT

I captured pure L2TP traffic into a cap file (pure means no IPSec stuff to encrypt). I can clearly see the L2TP packets in Netmon.

But I cant get the payload via LogParser.

My query is

LogParser.exe -i:NETMON -binaryFormat HEX "SELECT payload into temp.txt from 'L2TP.cap' "

Whats wrong with this query?

Even something like

LogParser.exe -i:NETMON -binaryFormat HEX "SELECT * into temp.txt from 'L2TP.cap' "

produces no ouput!

Netmon parser doesn't work with all netmon files

LogParser User : Neil Pike — Sun, 02 Oct 2005 21:34:00 GMT

I can't get logparser to work with all capture files. Netmon opens them fine though. See below for the error I get.

logparser -i:NETMON "select top 1 * from nowork.cap"

Task aborted.

Statistics:
-----------
Elements processed: 0
Elements output: 0
Execution time: 0.01 seconds

I've attached a zip with a working and non-working file.

A bug to fix for 2.3 perhaps! Fingers crossed anyway.

RE: are there any free conversion tools that can convert tcpdump or

LogParser User : Poopyscumbucket — Fri, 23 Sep 2005 16:03:00 GMT

Install ethereal and go to the same directory where it's installed. There's a command line tool called mergecap and you can convert the libpcap format to either netmon1, netmon2, or any other format you wish under the following choices:

libpcap - libpcap (tcpdump, Ethereal, etc.)
rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)
suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)
modlibpcap - modified libpcap (tcpdump)
nokialibpcap - Nokia libpcap (tcpdump)
lanalyzer - Novell LANalyzer
ngsniffer - Network Associates Sniffer (DOS-based)
snoop - Sun snoop
netmon1 - Microsoft Network Monitor 1.x
netmon2 - Microsoft Network Monitor 2.x
ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x
nettl - HP-UX nettl trace
visual - Visual Networks traffic capture
5views - Accellent 5Views capture
niobserverv9 - Network Instruments Observer version 9
rf5 - Tektronix K12xx 32-bit .rf5 format

RE: any one know netmon file format??

LogParser User : Gabriele Giuseppini — Wed, 29 Jun 2005 13:09:00 GMT

The format is described in the Windows SDK - look at NetMon.h.

any one know netmon file format??

LogParser User : dylan — Wed, 29 Jun 2005 04:41:00 GMT

any one know netmon file format? discussion ? or other forum please mail me
at dylan_angel180@hotmail.com

thks
dylan