Skip to content

SQLNA Wi-Fi and ETL TimeStamp improvements #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 15, 2023
Merged

SQLNA Wi-Fi and ETL TimeStamp improvements #67

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo
View file
Open in desktop
Binary file not shown.
Binary file modified SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide
View file
Open in desktop
Binary file not shown.
Binary file modified SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm
View file
Open in desktop
Binary file not shown.
Binary file modified SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal
View file
Open in desktop
Binary file not shown.
31 changes: 29 additions & 2 deletions SQL_Network_Analyzer/SQLNA/ETLFileReader.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
bool f_start = ((rawData->EventHeader.Keyword) & 0x40000000) != 0;
bool f_end = ((rawData->EventHeader.Keyword) & 0x80000000) != 0;
bool f_Ethernet8023 = ((rawData->EventHeader.Keyword) & 0x1) != 0; // process Ethernet events
bool f_Wifi = ((rawData->EventHeader.Keyword) & 0x100) != 0; // process Wi-Fi events - not yet implemented
bool f_Wifi = ((rawData->EventHeader.Keyword) & 0x10000) != 0; // process Wi-Fi events - Native802.11, not Wireless WAN
Guid gu = (&rawData->EventHeader)->ProviderId;
ushort eventID = rawData->EventHeader.Id;
ushort WFPFragmentEventType = 0; // WFP fragments need to remove the fragment header in event type 2000
Expand All @@ -105,6 +105,14 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
PartialFrame pf = null;
byte[] userData = null;

// debug code
//if (ProcessID == xxxx && ThreadID == xxxx)
//{
// Console.WriteLine(ThreadID.ToString()); // break on this line
// // look at m_eventCount for the prior frame number
//}
// end debug code

short arrayOffset = gu == PKTMON || gu == WFP ? (short)0 : NDIS_HEADER_LENGTH; // we want the pktmon header to be part of the data, not so with the NDIS/wfp header

// Debug.WriteLine($"TraceEvent_EventCallback: Frame:{m_eventCount + 1}, ProviderID: {gu}, NDIS: {NDIS}, PKTMON: {PKTMON}");
Expand Down Expand Up @@ -166,7 +174,22 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
}
f = new Frame();
f.frameNumber = m_eventCount;
f.ticks = m_sessionStartTime.Ticks + ((long)(((rawData->EventHeader).TimeStamp - FirstTimeStamp) * 10000000 / m_QPCFreq));

// debug code
//if (m_eventCount == 368198)
//{
// Console.WriteLine();
//}
// end debug code

if (m_QPCFreq == 10000000)
{
f.ticks = m_sessionStartTime.Ticks + ((long)(((rawData->EventHeader).TimeStamp - FirstTimeStamp))); // reduce math errors if the stopwatch frequency is 1 tick
}
else
{
f.ticks = m_sessionStartTime.Ticks + ((long)(((rawData->EventHeader).TimeStamp - FirstTimeStamp) * (double)(100000000 / m_QPCFreq)));
}
userData = new byte[rawData->UserDataLength - arrayOffset];
var x = ((byte*)rawData->UserData);
for (int i = 0; i < userData.Length; i++) userData[i] = x[i + arrayOffset]; // move bytes over
Expand All @@ -186,6 +209,10 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
f.data = userData;
f.linkType = (ushort)(f_Ethernet8023 ? 1 : f_Wifi ? 6 : 0); // Ethernet -> 1, Wifi -> 6, else 0

if (gu == NDIS)
{
f.isNDIS = true;
}
if (gu == PKTMON)
{
f.isPKTMON = true;
Expand Down
6 changes: 6 additions & 0 deletions SQL_Network_Analyzer/SQLNA/OutputText.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -614,6 +614,12 @@ private static void DisplayResetConnections(NetworkTrace Trace)
rd.startOffset = ((FrameData)c.frames[0]).ticks - firstTick;
rd.endTicks = ((FrameData)c.frames[c.frames.Count - 1]).ticks;
rd.endOffset = rd.endTicks - firstTick;
// debug code
//if (rd.startOffset < 0 || rd.endOffset < 0)
//{
// Console.WriteLine($"First Tick: {firstTick}, Conv Start Tick: {((FrameData)c.frames[0]).ticks}, Conv End Tick: {rd.endTicks}");
//}
// end debug code
rd.duration = rd.endOffset - rd.startOffset;
rd.isClientReset = false;
rd.rawRetransmits = c.rawRetransmits;
Expand Down
33 changes: 21 additions & 12 deletions SQL_Network_Analyzer/SQLNA/Parser.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,7 @@ public static void ParseOneFile(string filePath, NetworkTrace t)
}
case 6: // WiFi
{
ParseWifiFrame(frame.data, 0, t, f); // TODO flesh this out
ParseWifiFrame(frame.data, 0, t, f, frame.isNDIS); // TODO flesh this out
// Test file: \Documents\Interesting Network Traces\WifiTrace\
break;
}
Expand Down Expand Up @@ -388,6 +388,8 @@ public static void ParseNextProtocol(uint ProtocolNumber, byte[] b, int offset,
case 0x0800: // IPV4
ParseIPV4Frame(b, offset, t, f);
break;
case 0x0806: // ARP - ignore and do not log
break;
case 0x8100: // 802.1Q
Parse8021QFrame(b, offset, t, f);
break;
Expand All @@ -398,6 +400,8 @@ public static void ParseNextProtocol(uint ProtocolNumber, byte[] b, int offset,
case 0x22EB: // ERSPAN Type III
ParseERSPANFrame(b, offset, t, f);
break;
case 0x88CC: // LLDP - 802.1 Link Layer Discovery Protocol - ignore and do not log
break;
case 0x8926: // VNETTag
ParseVNTagFrame(b, offset, t, f);
break;
Expand Down Expand Up @@ -499,6 +503,7 @@ public static void ParseNetEventFrame(byte[] b, int offset, NetworkTrace t, Fram
Boolean isWifi = false;
Boolean isFragment = false;
Boolean isPktmon = false;
Boolean isNDIS = false;
ushort userDataLength = 0;
uint ETLFragmentSize = 0;

Expand All @@ -515,8 +520,9 @@ public static void ParseNetEventFrame(byte[] b, int offset, NetworkTrace t, Fram
byte[] GuidBytes = new byte[16];
Array.Copy(b, offset, GuidBytes, 0, 16);
Guid ProviderID = new Guid(GuidBytes); // 0x6E00D62E29470946B4233EE7BCD678EF yields GUID {2ed6006e-4729-4609-b423-3ee7bcd678ef}
isNDIS = ProviderID.Equals(NDIS);
isPktmon = ProviderID.Equals(PKTMON);
if (!ProviderID.Equals(NDIS) && !isPktmon) return; // not the provider we want
if (!isNDIS && !isPktmon) return; // not the provider we want
offset += 16;

// Read Descriptor - Event ID
Expand Down Expand Up @@ -568,7 +574,7 @@ public static void ParseNetEventFrame(byte[] b, int offset, NetworkTrace t, Fram
}
else if (isWifi)
{
ParseWifiFrame(b, offset, t, f);
ParseWifiFrame(b, offset, t, f, isNDIS);
}
}

Expand Down Expand Up @@ -937,7 +943,7 @@ public static void ParseEthernetFrame(byte[] b, int offset, NetworkTrace t, Fram
}
}

public static void ParseWifiFrame(byte[] b, int offset, NetworkTrace t, FrameData f)
public static void ParseWifiFrame(byte[] b, int offset, NetworkTrace t, FrameData f, bool isNDIS)
{
byte version = 0;
ushort metadataLength = 0;
Expand All @@ -951,16 +957,19 @@ public static void ParseWifiFrame(byte[] b, int offset, NetworkTrace t, FrameDat
ulong destMAC = 0;
ushort NextProtocol = 0; // IPV4 = 0x0800 (2048) IPV6 = 0x86DD (34525)

// Read Wifi Metadata
version = b[offset];
if (version != 2)
if (isNDIS == false) // skip the metadata for NDIS captures; they start with the Frame Control
{
Program.logDiagnostic($"ParseWifiFrame. Frame {f.frameNo}. Unknown Wifi version: {version}");
return;
}
// Read Wifi Metadata
version = b[offset];
if (version != 2)
{
Program.logDiagnostic($"ParseWifiFrame. Frame {f.frameNo}. Unknown Wifi version: {version}");
return;
}

metadataLength = utility.ReadUInt16(b, offset + 1);
offset += metadataLength;
metadataLength = utility.ReadUInt16(b, offset + 1);
offset += metadataLength;
}

// Read Frame Control

Expand Down
2 changes: 1 addition & 1 deletion SQL_Network_Analyzer/SQLNA/Program.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ class Program
// filterFormat A = AUTO, will perform NETMON or WirreShark filters based on the capture type ... ETL -> Netmon format

public static string VERSION_NUMBER = Assembly.GetExecutingAssembly().GetName().Version.ToString();
public const string UPDATE_DATE = "2022/04/01";
public const string UPDATE_DATE = "2024/01/01";
public const string GITHUB_PROJECT_URL = "https://github.com/microsoft/CSS_SQL_Networking_Tools";

static void Main(string[] args)
Expand Down
4 changes: 2 additions & 2 deletions SQL_Network_Analyzer/SQLNA/Properties/AssemblyInfo.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,5 @@
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.5.2055.0")]
[assembly: AssemblyFileVersion("1.5.2055.0")]
[assembly: AssemblyVersion("1.5.2083.0")]
[assembly: AssemblyFileVersion("1.5.2083.0")]
1 change: 1 addition & 0 deletions SQL_Network_Analyzer/SQLNA/ReaderBase.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ public class Frame
public long ticks; // Absolute ticks of frame (calculated)
public byte[] data; // Byte data for frame.
public long length = 0; // Length of data in bytes.
public bool isNDIS = false; // ETLFileReader sets this - if false, use the linkType to determine the parser
public bool isPKTMON = false; // ETLFileReader sets this - if false, use the linkType to determine the parser
public bool isWFP = false; // ETLFileReader sets this - if false, use the linkType to determine the parser
public ushort EventType = 0; // ETLFileReader sets this
Expand Down