locked
What is the preferred way of making Network Monitor use an existing parser on a different port? RRS feed

  • Question

  • Very often traffic runs on a non-standard port (HTTP on ports other than 80, LDAP for ADLDS on ports other than 389, etc). Modifying the underlying tcp.npl to direct additional ports to a given protocol parser works, but future revisions to default parsers would overwrite any such changes. Using the RegisterBefore/After calls in a custom parser file also works, but seems to insert an additional layer to the structure in the frame details. Is there another way to do this? What is the recommendation method?
    Friday, July 31, 2009 6:38 PM

All replies

  • Currently changing the parser logic is the only way to use alternate ports.  Actually for HTTP we try to detect the traffic so this should occur automatically.  If it does not, it would be interesting to see an example trace where this does not happen.  But for LDAP and ADLDS and other's you'll have to modify the parsers.

    While it's true future parser updates could overwrite your changes, you should keep the parsers in your local parser directory so a new update does not overwrite the parsers.  Then you can look for changes and reverse integrate your port changes backwards.

    We understand this isn't idea and we hope to provide a more straight forward way to do this in the future.

    Thanks,

    Paul
    Tuesday, August 4, 2009 2:31 PM