SQLNA Wifi and ETL TimeStamp improvements

1. Improved the WiFi parser to handle WiFi traffic in an ETL file, which is missing the Metadata header that's in a NETMON capture.
2. Fixed a silent data precision overflow error in the Event Header TimeStamp caused by a long trace and calculated using integer scaling. In ETLFileReader.

Author: Malcolm-Stewart

SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo

@@ -94,7 +94,7 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
             bool f_start = ((rawData->EventHeader.Keyword) & 0x40000000) != 0;
             bool f_end = ((rawData->EventHeader.Keyword) & 0x80000000) != 0;
             bool f_Ethernet8023 = ((rawData->EventHeader.Keyword) & 0x1) != 0;  // process Ethernet events
-            bool f_Wifi = ((rawData->EventHeader.Keyword) & 0x100) != 0;        // process Wi-Fi events - not yet implemented
+            bool f_Wifi = ((rawData->EventHeader.Keyword) & 0x10000) != 0;        // process Wi-Fi events -  Native802.11, not Wireless WAN
             Guid gu = (&rawData->EventHeader)->ProviderId;
             ushort eventID = rawData->EventHeader.Id;
             ushort WFPFragmentEventType = 0;              // WFP fragments need to remove the fragment header in event type 2000
@@ -105,6 +105,14 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
             PartialFrame pf = null;
             byte[] userData = null;
 
+            // debug code
+            //if (ProcessID == xxxx && ThreadID == xxxx)
+            //{
+            //    Console.WriteLine(ThreadID.ToString());    // break on this line
+            //    // look at m_eventCount for the prior frame number
+            //}
+            // end debug code
+
             short arrayOffset = gu == PKTMON || gu == WFP ? (short)0 : NDIS_HEADER_LENGTH;  // we want the pktmon header to be part of the data, not so with the NDIS/wfp header
 
             // Debug.WriteLine($"TraceEvent_EventCallback: Frame:{m_eventCount + 1}, ProviderID: {gu}, NDIS: {NDIS}, PKTMON: {PKTMON}");
@@ -166,7 +174,22 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
                 }
                 f = new Frame();
                 f.frameNumber = m_eventCount;
-                f.ticks = m_sessionStartTime.Ticks + ((long)(((rawData->EventHeader).TimeStamp - FirstTimeStamp) * 10000000 / m_QPCFreq));
+
+                // debug code
+                //if (m_eventCount == 368198)
+                //{
+                //    Console.WriteLine();
+                //}
+                // end debug code
+
+                if (m_QPCFreq == 10000000)
+                {
+                    f.ticks = m_sessionStartTime.Ticks + ((long)(((rawData->EventHeader).TimeStamp - FirstTimeStamp))); // reduce math errors if the stopwatch frequency is 1 tick
+                }
+                else
+                {
+                    f.ticks = m_sessionStartTime.Ticks + ((long)(((rawData->EventHeader).TimeStamp - FirstTimeStamp) * (double)(100000000 / m_QPCFreq)));
+                }
                 userData = new byte[rawData->UserDataLength - arrayOffset];
                 var x = ((byte*)rawData->UserData);
                 for (int i = 0; i < userData.Length; i++) userData[i] = x[i + arrayOffset];  // move bytes over
@@ -186,6 +209,10 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
                 f.data = userData;
                 f.linkType = (ushort)(f_Ethernet8023 ? 1 : f_Wifi ? 6 : 0);  // Ethernet -> 1, Wifi -> 6, else 0
 
+                if (gu == NDIS)
+                {
+                    f.isNDIS = true;
+                }
                 if (gu == PKTMON)
                 {
                     f.isPKTMON = true;

SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide

@@ -614,6 +614,12 @@ private static void DisplayResetConnections(NetworkTrace Trace)
                             rd.startOffset = ((FrameData)c.frames[0]).ticks - firstTick;
                             rd.endTicks = ((FrameData)c.frames[c.frames.Count - 1]).ticks;
                             rd.endOffset = rd.endTicks - firstTick;
+                            // debug code
+                            //if (rd.startOffset < 0 || rd.endOffset < 0)
+                            //{
+                            //    Console.WriteLine($"First Tick: {firstTick}, Conv Start Tick: {((FrameData)c.frames[0]).ticks}, Conv End Tick: {rd.endTicks}");
+                            //}
+                            // end debug code
                             rd.duration = rd.endOffset - rd.startOffset;
                             rd.isClientReset = false;
                             rd.rawRetransmits = c.rawRetransmits;

SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm

@@ -274,7 +274,7 @@ public static void ParseOneFile(string filePath, NetworkTrace t)
                                     }
                                 case 6:  // WiFi
                                     {
-                                        ParseWifiFrame(frame.data, 0, t, f); // TODO flesh this out
+                                        ParseWifiFrame(frame.data, 0, t, f, frame.isNDIS); // TODO flesh this out
                                                                              // Test file: \Documents\Interesting Network Traces\WifiTrace\
                                         break;
                                     }
@@ -388,6 +388,8 @@ public static void ParseNextProtocol(uint ProtocolNumber, byte[] b, int offset,
                 case 0x0800:   // IPV4
                     ParseIPV4Frame(b, offset, t, f);
                     break;
+                case 0x0806:   // ARP - ignore and do not log
+                    break;
                 case 0x8100:   // 802.1Q
                     Parse8021QFrame(b, offset, t, f);
                     break;
@@ -398,6 +400,8 @@ public static void ParseNextProtocol(uint ProtocolNumber, byte[] b, int offset,
                 case 0x22EB:   // ERSPAN Type III
                     ParseERSPANFrame(b, offset, t, f);
                     break;
+                case 0x88CC:   // LLDP - 802.1 Link Layer Discovery Protocol - ignore and do not log
+                    break;
                 case 0x8926:   // VNETTag
                     ParseVNTagFrame(b, offset, t, f);
                     break;
@@ -499,6 +503,7 @@ public static void ParseNetEventFrame(byte[] b, int offset, NetworkTrace t, Fram
             Boolean isWifi = false;
             Boolean isFragment = false;
             Boolean isPktmon = false;
+            Boolean isNDIS = false;
             ushort userDataLength = 0;
             uint ETLFragmentSize = 0;
 
@@ -515,8 +520,9 @@ public static void ParseNetEventFrame(byte[] b, int offset, NetworkTrace t, Fram
             byte[] GuidBytes = new byte[16];
             Array.Copy(b, offset, GuidBytes, 0, 16);
             Guid ProviderID = new Guid(GuidBytes); // 0x6E00D62E29470946B4233EE7BCD678EF yields GUID {2ed6006e-4729-4609-b423-3ee7bcd678ef}
+            isNDIS = ProviderID.Equals(NDIS);
             isPktmon = ProviderID.Equals(PKTMON);
-            if (!ProviderID.Equals(NDIS) && !isPktmon) return;  // not the provider we want
+            if (!isNDIS && !isPktmon) return;  // not the provider we want
             offset += 16;
 
             // Read Descriptor - Event ID
@@ -568,7 +574,7 @@ public static void ParseNetEventFrame(byte[] b, int offset, NetworkTrace t, Fram
             }
             else if (isWifi)
             {
-                ParseWifiFrame(b, offset, t, f);
+                ParseWifiFrame(b, offset, t, f, isNDIS);
             }
         }
 
@@ -937,7 +943,7 @@ public static void ParseEthernetFrame(byte[] b, int offset, NetworkTrace t, Fram
             }
         }
 
-        public static void ParseWifiFrame(byte[] b, int offset, NetworkTrace t, FrameData f)
+        public static void ParseWifiFrame(byte[] b, int offset, NetworkTrace t, FrameData f, bool isNDIS)
         {
             byte version = 0;
             ushort metadataLength = 0;
@@ -951,16 +957,19 @@ public static void ParseWifiFrame(byte[] b, int offset, NetworkTrace t, FrameDat
             ulong destMAC = 0;
             ushort NextProtocol = 0;    // IPV4 = 0x0800 (2048)    IPV6 = 0x86DD (34525)
 
-            // Read Wifi Metadata
-            version = b[offset];
-            if (version != 2)
+            if (isNDIS == false)  // skip the metadata for NDIS captures; they start with the Frame Control
             {
-                Program.logDiagnostic($"ParseWifiFrame. Frame {f.frameNo}. Unknown Wifi version: {version}");
-                return;
-            }
+                // Read Wifi Metadata
+                version = b[offset];
+                if (version != 2)
+                {
+                    Program.logDiagnostic($"ParseWifiFrame. Frame {f.frameNo}. Unknown Wifi version: {version}");
+                    return;
+                }
 
-            metadataLength = utility.ReadUInt16(b, offset + 1);
-            offset += metadataLength;
+                metadataLength = utility.ReadUInt16(b, offset + 1);
+                offset += metadataLength;
+            }
 
             // Read Frame Control
 

SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal

@@ -32,7 +32,7 @@ class Program
                                                              // filterFormat A = AUTO, will perform NETMON or WirreShark filters based on the capture type ... ETL -> Netmon format
 
         public static string VERSION_NUMBER = Assembly.GetExecutingAssembly().GetName().Version.ToString();
-        public const string UPDATE_DATE = "2022/04/01";
+        public const string UPDATE_DATE = "2024/01/01";
         public const string GITHUB_PROJECT_URL = "https://github.com/microsoft/CSS_SQL_Networking_Tools";
 
         static void Main(string[] args)

SQL_Network_Analyzer/SQLNA/ETLFileReader.cs

@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.5.2055.0")]
-[assembly: AssemblyFileVersion("1.5.2055.0")]
+[assembly: AssemblyVersion("1.5.2083.0")]
+[assembly: AssemblyFileVersion("1.5.2083.0")]

SQL_Network_Analyzer/SQLNA/OutputText.cs

@@ -21,6 +21,7 @@ public class Frame
         public long ticks;				   // Absolute ticks of frame (calculated)
         public byte[] data;		   	       // Byte data for frame.
         public long length = 0;		       // Length of data in bytes.
+        public bool isNDIS = false;        // ETLFileReader sets this - if false, use the linkType to determine the parser
         public bool isPKTMON = false;      // ETLFileReader sets this - if false, use the linkType to determine the parser
         public bool isWFP = false;         // ETLFileReader sets this - if false, use the linkType to determine the parser
         public ushort EventType = 0;       // ETLFileReader sets this