locked
Unable to Filter SOAP Response using API's RRS feed

  • Question

  • Hi,

    I was unable to filter out SOAP packtets via NMAddFilter and NmEvaluateFilter.
    Nm Evaluate filter test fails(the boolean filter test fails) when i try to given "ProtocolName == \"SOAP\"".. In the UI filtering happens.

    Parsing HTTP and other protocols like SSDP worked fine..

    Appreciate any help or pointer on this.

    Regards,
    Divya

    Thursday, June 17, 2010 11:23 PM

Answers

  • Thanks for the answer Paul.

     

    Specifying the filter as "SOAP"  instead  of "ProtocolName="SOAP" worked fine

     

    C:\shared-us>nmcap /inputcapture recent.cap /capture SOAP /file
    out.cap

     

    In the API

     

    NmAddFilter(myFrameParserConfig, L"SOAP" , &mySOAPFilterID);

     

    worked fine as well!

     

    Thanks,

    Divya

    • Marked as answer by Divya Soundar Friday, June 25, 2010 6:47 PM
    Friday, June 25, 2010 6:47 PM

All replies

  • There could be multipe possibilities here, but the first that comes to mind is Conversations.  Some protocols require state.  State is maintained as state variables in the conversation.  With the API you can to enable conversations, you can look at the example on codeplex (http://www.Codeplex.com/NMExperts).

    When the UI runs, it actually takes to parsing passes.  It loads the whole trace which builds every conversation and populates all global properties.  So to get the exact same type of filtering as the UI, this might be neccessary.  However the filter you mentioned should not require multiple passes.

    Paul

    Friday, June 18, 2010 6:03 PM
  • HI Paul,

     

    Thanks a lot for the info on Conversations. I enabled conversations and reassembly.

    But still I am able to filter only one SOAP frame whereas in the UI there were 10 SOAP frames filtered.

    Am i missing out something here?

     

    ret = NmConfigConversation(myFrameParserConfig, NmConversationOptionNone, TRUE);

    ret = NmConfigReassembly(myFrameParserConfig, NmReassemblyOptionNone, TRUE);

    ret = NmAddFilter(myFrameParserConfig, "ProtocolName == \"SOAP\"", &mySOAPFilterID);

    only one frame got filtered.

    // I attempted to extract the HTTP portion using the frame offset for Http 0x4A and for SOAP 0x61

    NmGetPartialRawFrame(myRawFrame, 0x4a, RawFrameLength, PartialBuf, &ActFrameLength);

    One more question.. Do we have a UPnP protocol parser for Netmon?

     

    Regards,

    Divya

    Wednesday, June 23, 2010 12:06 AM
  • Let's test with NMCap to see if this type of parsing requires two passes.  Run this command and tell me if it returns 10 frames saved.

    nmcap /inputcapture in.cap /capture ProtocolName=="SOAP" /file out.cap

    If it does, then the program is not working correctly.  If it does NOT, then you need to make two passes through the file.

     

    Paul

    Wednesday, June 23, 2010 6:32 PM
  • HI Paul,

     

    There were no frames returned. Two passes through the file?.. I am new to programming using netmon API's can you point me to some documentation through which i can understand more about implementing more than one pass though th file

     

    Also do we have an UPnP parser for Netmon?

     

    Best Regards,

    Divya

     

     

    The commandline snapshot is

    C:\shared-us>nmcap /inputcapture recent.cap /capture ProtocolName=="SOAP" /file
    out.cap
    Netmon Command Line Capture (nmcap) 3.3.1641.0
    Loading Parsers ...
    [INFO] sparser.npb:001.000 Successfully unserialized NPL parser 'C:\Users\admin\
    AppData\Local\Microsoft\Network Monitor 3\sparser.npb. (0x83008006)

    Saving info to:
    C:\shared-us\out.cap - using circular buffer of size 20.00 MB.

    ATTENTION: Conversations Enabled: consumes more memory (see Help for details)

    Exit by Ctrl+C

    Completed   | Received: 11408 Saved: 0 | Time: 1 second.
    C:\shared-us>

    Wednesday, June 23, 2010 7:06 PM
  • Thanks for the answer Paul.

     

    Specifying the filter as "SOAP"  instead  of "ProtocolName="SOAP" worked fine

     

    C:\shared-us>nmcap /inputcapture recent.cap /capture SOAP /file
    out.cap

     

    In the API

     

    NmAddFilter(myFrameParserConfig, L"SOAP" , &mySOAPFilterID);

     

    worked fine as well!

     

    Thanks,

    Divya

    • Marked as answer by Divya Soundar Friday, June 25, 2010 6:47 PM
    Friday, June 25, 2010 6:47 PM