Network Monitor displays protocol information for network administrators to use when viewing network traffic and troubleshooting problems. By writing custom protocol parsers, you can extend the set of protocols for which information is displayed in Network Monitor.
Protocol parsers read through raw network frames (packets of network data), locating specific protocol headers within the data stream, attaching descriptions (properties) to each field of the headers, and identifying those properties to the Network Monitor kernel. Network Monitor then displays the captured data and the properties attached by the parser, to help the network administrator understand the data. For example, when a parser programmed to identify the SMB protocol identifies an SMB header, it attaches the command field property to the fifth byte relative to the start of the SMB header. When Network Monitor displays this field, it displays not only the name of the command (SMB Command), but also the decoded value; for example, 0x2d is always displayed as SMBOpenX.
Note Parsers make no decisions about whether frames are displayed; they simply recognize certain fields and alert the Network Monitor kernel. Filtering is done at a higher level, which allows filter queries to span parsers and greatly simplifies parser writing.
Note that you must not use any threads, or APIs that will not run on Win32sŪ, in your parser.
Before attaching properties to the raw data, a parser must first register all possible properties with the Network Monitor kernel. The parser tells the kernel to create a property database, and then fills the property database with all of the possible properties for its protocol. Each property in the property database contains information such as a textual description, a data type and qualifier (used to format the raw data), and a formatting routine for displaying the data.