[Guy Harris <gharris@xxxxxxxxx>]

Gisle Vanem wrote:
> I made a MS Network Monitor 2.x capture (using netcap from MS'
> support tools). I noticed the capture ended with a "netmon train"
> frame. What is this used for?

"Netmon Train" is a hack Microsoft uses for putting statistics (packet 
counts, etc.) into captures; they store them as packets for the "Netmon 
Train" protocol; they don't represent packets that appear on the wire.

The time stamps on those "packets", as I remember, are bogus.

I'm a little surprised that it was an 802.3+SNAP packet - I thought the 
ones I saw were Ethernet II packets, but I could be misremembering.

I've attached some notes I took on the format of those "packets", based 
on the way NetMon dissected one.  There are other types of "Netmon 
Train" packets ("GENERIC", "BOOKMARK", "ODBC", "MESSAGE", and "COMMENT"; 
I'm not sure I've seen any of those - I think comments can be added to a 
capture through the UI).

At some point, the Wiretap API should be changed to support supplying 
additional information such as statistics, and the NetMon capture reader 
should probably check for those packets and supply them as statistics. 
(That should probably be done when support for "next generation" libpcap 
format, which also supports statistics, is added, if not sooner.)
  TRAIL: FRAME TYPE = Capture Statistics

Bytes 0-3:
      TRAIL: Trail ID = $MST

Bytes 4-7:
      TRAIL: ...............................0 = Use this Frame as a Statistics Endpoint
      TRAIL: ..............................0. = Show Statistics for all Frames, even if Filtered


Bytes 8-11:

		101 = GENERIC
		102 = BOOKMARK
		103 = STATS
		104 = ODBC
		105 = ODBC
		106 = MESSAGE
		107 = COMMENT

      TRAIL: Special Frame Type = Capture Statistics
      TRAIL: Block Statistics
          TRAIL: Frames in Block = 0
          TRAIL: Total Bytes = 0
          TRAIL: AverageSize = 0
          TRAIL: Minimum Size = 0
          TRAIL: Maximum Size = 0
          TRAIL: Total Time(in microseconds) = 0
          TRAIL: Average Time Between Frames(in microseconds) = 0.0
          TRAIL: Minimum Time Between Frames(in microseconds) = 0
          TRAIL: Maximum Time Between Frames(in microseconds) = 0
          TRAIL: Bytes Per Second = 0
              TRAIL: BandWidth consumed for 10 Mega Bits Per Second = 0.0%
              TRAIL: BandWidth consumed for 100 Mega Bits Per Second = 0.0%
              TRAIL: BandWidth consumed for 4 Mega Bits Per Second = 0.0%
              TRAIL: BandWidth consumed for 16 Mega Bits Per Second = 0.0%

  STATS: Number of Frames Captured = 714

Bytes 12-13:
      STATS: Bytes Left = 92 (0x5C)

Bytes 14-15:
      STATS: Version = 32 (0x20)

Bytes 16-17: unused?

Bytes 18-25: (64-bit count of microseconds)
      STATS: Elapsed Time = 8 Minutes  39 Seconds  326000 MicroSeconds

Bytes 26-29:
      STATS: Total Frames Captured = 714 (0x2CA)

Bytes 30-33:
      STATS: Total Bytes Captured = 65077 (0xFE35)

Bytes 34-37:
      STATS: Total Frames Filtered While Capturing = 714 (0x2CA)

Bytes 38-41:
      STATS: Total Bytes Filtered While Capturing = 53653 (0xD195)

Bytes 42-45:
      STATS: Total Multicast Filtered While Capturing = 0 (0x0)

Bytes 46-49:
      STATS: Total Broadcast Filtered While Capturing = 0 (0x0)

Bytes 50-53:
      STATS: Total Frames Seen During Capture = 9165 (0x23CD)

Bytes 54-57:
      STATS: Total Bytes Seen During Capture = 1112012 (0x10F7CC)

Bytes 58-61:
      STATS: Total MultiCasts Received = 784 (0x310)

Bytes 62-65:
      STATS: Total BroadCasts Received = 3081 (0xC09)

Bytes 66-69:
      STATS: Total Frames Dropped From Capture = 0 (0x0)

Bytes 70-73:
      STATS: Total Frames Dropped From Buffer = 0 (0x0)

Bytes 74-77:
      STATS: MAC Frames Received = 9103

Bytes 78-81 (0xFFFFFFFF)
      STATS: MAC CRC Errors = Unsupported Feature

Bytes 82-85:
      STATS: MAC Bytes Received = 0x0000000000000000

Bytes 86-89:
      STATS: MAC Frames Dropped due to No Buffers = 0

Bytes 90-93:
      STATS: MAC MultiCasts Received = Unsupported Feature

Bytes 94-97:
      STATS: MAC BroadCasts Received = Unsupported Feature

Bytes 98-101:
      STATS: MAC Frames Dropped due to HardWare Errors = 0
      STATS: Padding Bytes