Every parser has five entry points: Register, Deregister, RecognizeFrame, AttachProperties, and FormatProperties. Register builds the property database by making calls to CreatePropertyDatabase, and then passes the database back to the kernel. RecognizeFrame takes a pointer to raw data and passes back to the kernel whether or not the parser recognizes the data; if the parser does recognize the data, it also passes back the length of the recognized data. AttachProperties identifies every displayable element of the frame recognized. For detailed information about entry points, see Entry Point Functions for Protocol Parser DLLs.
Here is an example of a parser calling sequence:
The parser will be called many times at the RecognizeFrame entry for each of the frames being looked at by the kernel. FormatProperties will be called only if the user interface wants to display the frame. Register and Deregister will be called only at the beginning and the end, respectively.
When you do a LoadLibrary on a Network Monitor parser, the parser calls back into the kernel during initialization and passes a structure containing pointers to entry points for each protocol parser stored in the DLL. The kernel then evaluates whether or not it wants each parser's entry points. This allows Network Monitor to swap out a specific parser (for example, NFS) in the field without disturbing the other parsers. You can write a parser for NFS, load it into the system, and tell the system to use your NFS parser instead of the one provided with Network Monitor.