.cap file format of Microsoft Network Monitor, v2.x: GraphViz block diagram (.dot) source

Microsoft Network Monitor (AKA Netmon) is a proprietary Microsoft's network packet sniffing and analysis tool. It can save captured traffic as .cap files, which usually contain the packets and may contain some additional info - enhanced network info, calculated statistics, etc.

There are at least 2 different versions of the format: v1 and v2. Netmon v3 seems to use the same file format as v1.

Application

Microsoft Network Monitor, v2.x

File extension

cap

KS implementation details

License: CC0-1.0
Minimal Kaitai Struct required: 0.7

This page hosts a formal specification of .cap file format of Microsoft Network Monitor, v2.x using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.

GraphViz block diagram source

microsoft_network_monitor_v2.dot

digraph {
	rankdir=LR;
	node [shape=plaintext];
	subgraph cluster__microsoft_network_monitor_v2 {
		label="MicrosoftNetworkMonitorV2";
		graph[style=dotted];

		microsoft_network_monitor_v2__seq [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
			<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
			<TR><TD PORT="signature_pos">0</TD><TD PORT="signature_size">4</TD><TD>47 4D 42 55</TD><TD PORT="signature_type">signature</TD></TR>
			<TR><TD PORT="version_minor_pos">4</TD><TD PORT="version_minor_size">1</TD><TD>u1</TD><TD PORT="version_minor_type">version_minor</TD></TR>
			<TR><TD PORT="version_major_pos">5</TD><TD PORT="version_major_size">1</TD><TD>u1</TD><TD PORT="version_major_type">version_major</TD></TR>
			<TR><TD PORT="mac_type_pos">6</TD><TD PORT="mac_type_size">2</TD><TD>u2le‚ÜíLinktype</TD><TD PORT="mac_type_type">mac_type</TD></TR>
			<TR><TD PORT="time_capture_start_pos">8</TD><TD PORT="time_capture_start_size">16</TD><TD>WindowsSystemtime</TD><TD PORT="time_capture_start_type">time_capture_start</TD></TR>
			<TR><TD PORT="frame_table_ofs_pos">24</TD><TD PORT="frame_table_ofs_size">4</TD><TD>u4le</TD><TD PORT="frame_table_ofs_type">frame_table_ofs</TD></TR>
			<TR><TD PORT="frame_table_len_pos">28</TD><TD PORT="frame_table_len_size">4</TD><TD>u4le</TD><TD PORT="frame_table_len_type">frame_table_len</TD></TR>
			<TR><TD PORT="user_data_ofs_pos">32</TD><TD PORT="user_data_ofs_size">4</TD><TD>u4le</TD><TD PORT="user_data_ofs_type">user_data_ofs</TD></TR>
			<TR><TD PORT="user_data_len_pos">36</TD><TD PORT="user_data_len_size">4</TD><TD>u4le</TD><TD PORT="user_data_len_type">user_data_len</TD></TR>
			<TR><TD PORT="comment_ofs_pos">40</TD><TD PORT="comment_ofs_size">4</TD><TD>u4le</TD><TD PORT="comment_ofs_type">comment_ofs</TD></TR>
			<TR><TD PORT="comment_len_pos">44</TD><TD PORT="comment_len_size">4</TD><TD>u4le</TD><TD PORT="comment_len_type">comment_len</TD></TR>
			<TR><TD PORT="statistics_ofs_pos">48</TD><TD PORT="statistics_ofs_size">4</TD><TD>u4le</TD><TD PORT="statistics_ofs_type">statistics_ofs</TD></TR>
			<TR><TD PORT="statistics_len_pos">52</TD><TD PORT="statistics_len_size">4</TD><TD>u4le</TD><TD PORT="statistics_len_type">statistics_len</TD></TR>
			<TR><TD PORT="network_info_ofs_pos">56</TD><TD PORT="network_info_ofs_size">4</TD><TD>u4le</TD><TD PORT="network_info_ofs_type">network_info_ofs</TD></TR>
			<TR><TD PORT="network_info_len_pos">60</TD><TD PORT="network_info_len_size">4</TD><TD>u4le</TD><TD PORT="network_info_len_type">network_info_len</TD></TR>
			<TR><TD PORT="conversation_stats_ofs_pos">64</TD><TD PORT="conversation_stats_ofs_size">4</TD><TD>u4le</TD><TD PORT="conversation_stats_ofs_type">conversation_stats_ofs</TD></TR>
			<TR><TD PORT="conversation_stats_len_pos">68</TD><TD PORT="conversation_stats_len_size">4</TD><TD>u4le</TD><TD PORT="conversation_stats_len_type">conversation_stats_len</TD></TR>
		</TABLE>>];
		microsoft_network_monitor_v2__inst__frame_table [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
			<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
			<TR><TD PORT="frame_table_pos">frame_table_ofs</TD><TD PORT="frame_table_size">frame_table_len</TD><TD>FrameIndex</TD><TD PORT="frame_table_type">frame_table</TD></TR>
		</TABLE>>];
		subgraph cluster__frame_index {
			label="MicrosoftNetworkMonitorV2::FrameIndex";
			graph[style=dotted];

			frame_index__seq [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
				<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
				<TR><TD PORT="entries_pos">0</TD><TD PORT="entries_size">4</TD><TD>FrameIndexEntry</TD><TD PORT="entries_type">entries</TD></TR>
				<TR><TD COLSPAN="4" PORT="entries__repeat">repeat to end of stream</TD></TR>
			</TABLE>>];
		}
		subgraph cluster__frame_index_entry {
			label="MicrosoftNetworkMonitorV2::FrameIndexEntry";
			graph[style=dotted];

			frame_index_entry__seq [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
				<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
				<TR><TD PORT="ofs_pos">0</TD><TD PORT="ofs_size">4</TD><TD>u4le</TD><TD PORT="ofs_type">ofs</TD></TR>
			</TABLE>>];
			frame_index_entry__inst__body [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
				<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
				<TR><TD PORT="body_pos">ofs</TD><TD PORT="body_size">...</TD><TD>Frame</TD><TD PORT="body_type">body</TD></TR>
			</TABLE>>];
		}
		subgraph cluster__frame {
			label="MicrosoftNetworkMonitorV2::Frame";
			graph[style=dotted];

			frame__seq [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
				<TR><TD BGCOLOR="#E0FFE0">pos</TD><TD BGCOLOR="#E0FFE0">size</TD><TD BGCOLOR="#E0FFE0">type</TD><TD BGCOLOR="#E0FFE0">id</TD></TR>
				<TR><TD PORT="ts_delta_pos">0</TD><TD PORT="ts_delta_size">8</TD><TD>u8le</TD><TD PORT="ts_delta_type">ts_delta</TD></TR>
				<TR><TD PORT="orig_len_pos">8</TD><TD PORT="orig_len_size">4</TD><TD>u4le</TD><TD PORT="orig_len_type">orig_len</TD></TR>
				<TR><TD PORT="inc_len_pos">12</TD><TD PORT="inc_len_size">4</TD><TD>u4le</TD><TD PORT="inc_len_type">inc_len</TD></TR>
				<TR><TD PORT="body_pos">16</TD><TD PORT="body_size">...</TD><TD>switch (_root.mac_type)</TD><TD PORT="body_type">body</TD></TR>
			</TABLE>>];
frame__seq_body_switch [label=<<TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0">
	<TR><TD BGCOLOR="#F0F2E4">case</TD><TD BGCOLOR="#F0F2E4">type</TD></TR>
	<TR><TD>:linktype_ethernet</TD><TD PORT="case0">EthernetFrame</TD></TR>
</TABLE>>];
		}
	}
	microsoft_network_monitor_v2__seq:time_capture_start_type -> windows_systemtime__seq [style=bold];
	microsoft_network_monitor_v2__seq:frame_table_ofs_type -> microsoft_network_monitor_v2__inst__frame_table:frame_table_pos [color="#404040"];
	microsoft_network_monitor_v2__seq:frame_table_len_type -> microsoft_network_monitor_v2__inst__frame_table:frame_table_size [color="#404040"];
	microsoft_network_monitor_v2__inst__frame_table:frame_table_type -> frame_index__seq [style=bold];
	frame_index__seq:entries_type -> frame_index_entry__seq [style=bold];
	frame_index_entry__seq:ofs_type -> frame_index_entry__inst__body:body_pos [color="#404040"];
	frame_index_entry__inst__body:body_type -> frame__seq [style=bold];
	frame__seq:body_type -> frame__seq_body_switch [style=bold];
	frame__seq_body_switch:case0 -> ethernet_frame__seq [style=bold];
	microsoft_network_monitor_v2__seq:mac_type_type -> frame__seq:body_type [color="#404040"];
}