From a2b084f6c507d96fe6f0776154537268d60e9428 Mon Sep 17 00:00:00 2001
From: Michael Mann <mmann78@netscape.net>
Date: Mon, 4 Sep 2017 10:16:49 -0400
Subject: [PATCH] Add support for WPFCapture "formats" from Microsoft Analyzer.

Normally a .cap file contains a network type that when masked with 0xFFF
will convert to a pcap LINKTYPE_ value.  However, Microsoft Analyzer
used 0xE080-0xE08A for their own purposes within a .cap file.

Add support for the WPFCapture formats and give a "not supported" error
message to the few left unsupported.

Bug: 10556
Change-Id: I321a75ce769fdec75bdc6b595936c25932950a97
Reviewed-on: https://code.wireshark.org/review/23386
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
---
 docbook/release-notes.asciidoc           |   4 +-
 epan/dissectors/CMakeLists.txt           |   1 +
 epan/dissectors/Makefile.am              |   1 +
 epan/dissectors/packet-messageanalyzer.c | 496 +++++++++++++++++++++++
 wiretap/netmon.c                         |  36 +-
 wiretap/wtap.c                           |  18 +
 wiretap/wtap.h                           |   7 +
 7 files changed, 560 insertions(+), 3 deletions(-)
 create mode 100644 epan/dissectors/packet-messageanalyzer.c

diff --git a/docbook/release-notes.asciidoc b/docbook/release-notes.asciidoc
index 369b0c9b1d..122cefee99 100644
--- a/docbook/release-notes.asciidoc
+++ b/docbook/release-notes.asciidoc
@@ -42,8 +42,8 @@ since version 2.4.0:
   Preferences -> Appearance -> Layout -> Show file load time.
 * Support for G.729 codec in the RTP Player (via the bcg729 library).
 * Support for hardware-timestamping of packets
-* Improved NetMon .cap support with comments, event tracing, network filter
-  and network info types.
+* Improved NetMon .cap support with comments, event tracing, network filter,
+  network info types and some Message Analyzer exported types.
 
 //=== Removed Dissectors
 
diff --git a/epan/dissectors/CMakeLists.txt b/epan/dissectors/CMakeLists.txt
index 29a78d0e06..0993f54337 100644
--- a/epan/dissectors/CMakeLists.txt
+++ b/epan/dissectors/CMakeLists.txt
@@ -889,6 +889,7 @@ set(DISSECTOR_SRC
 	packet-megaco.c
 	packet-memcache.c
 	packet-mesh.c
+	packet-messageanalyzer.c
 	packet-meta.c
 	packet-metamako.c
 	packet-mgcp.c
diff --git a/epan/dissectors/Makefile.am b/epan/dissectors/Makefile.am
index 6c589e43f1..3b6d18c609 100644
--- a/epan/dissectors/Makefile.am
+++ b/epan/dissectors/Makefile.am
@@ -910,6 +910,7 @@ DISSECTOR_SRC = \
 	packet-megaco.c		\
 	packet-memcache.c	\
 	packet-mesh.c		\
+	packet-messageanalyzer.c	\
 	packet-meta.c		\
 	packet-metamako.c	\
 	packet-mgcp.c		\
diff --git a/epan/dissectors/packet-messageanalyzer.c b/epan/dissectors/packet-messageanalyzer.c
new file mode 100644
index 0000000000..7ed2bdb06a
--- /dev/null
+++ b/epan/dissectors/packet-messageanalyzer.c
@@ -0,0 +1,496 @@
+/* packet-messageanalyzer.c
+ * Routines for Message Analyzer capture dissection
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+ * USA.
+ */
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/addr_resolv.h>
+#include <epan/ipproto.h>
+#include <wsutil/inet_ipv6.h>
+#include <wsutil/utf8_entities.h>
+#include <wiretap/wtap.h>
+
+void proto_register_message_analyzer(void);
+void proto_reg_handoff_message_analyzer(void);
+
+/* Initialize the protocol and registered fields */
+static int proto_ma_wfp_capture_v4 = -1;
+static int proto_ma_wfp_capture2_v4 = -1;
+static int proto_ma_wfp_capture_v6 = -1;
+static int proto_ma_wfp_capture2_v6 = -1;
+static int proto_ma_wfp_capture_auth_v4 = -1;
+static int proto_ma_wfp_capture_auth_v6 = -1;
+
+static int hf_ma_wfp_capture_flow_context = -1;
+static int hf_ma_wfp_capture_payload_length = -1;
+static int hf_ma_wfp_capture_auth_src_port = -1;
+static int hf_ma_wfp_capture_auth_dst_port = -1;
+static int hf_ma_wfp_capture_auth_interface_id = -1;
+static int hf_ma_wfp_capture_auth_direction = -1;
+static int hf_ma_wfp_capture_auth_process_id = -1;
+static int hf_ma_wfp_capture_auth_process_path = -1;
+
+/* Fields used from other common dissectors */
+static int hf_ip_src = -1;
+static int hf_ip_addr = -1;
+static int hf_ip_src_host = -1;
+static int hf_ip_host = -1;
+static int hf_ip_dst = -1;
+static int hf_ip_dst_host = -1;
+static int hf_ip_proto = -1;
+static int hf_ipv6_src = -1;
+static int hf_ipv6_addr = -1;
+static int hf_ipv6_src_host = -1;
+static int hf_ipv6_host = -1;
+static int hf_ipv6_dst = -1;
+static int hf_ipv6_dst_host = -1;
+
+
+/* Initialize the subtree pointers */
+static gint ett_ma_wfp_capture_v4 = -1;
+static gint ett_ma_wfp_capture_v6 = -1;
+static gint ett_ma_wfp_capture_auth = -1;
+
+static dissector_table_t ip_dissector_table;
+
+static void
+add_ipv4_src_address(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int offset, proto_item* parent_item)
+{
+	proto_item *item;
+	guint32 addr;
+
+	set_address_tvb(&pinfo->net_src, AT_IPv4, 4, tvb, offset);
+	copy_address_shallow(&pinfo->src, &pinfo->net_src);
+
+	if (tree) {
+		const char *src_host;
+
+		memcpy(&addr, pinfo->net_src.data, 4);
+		src_host = get_hostname(addr);
+		proto_item_append_text(parent_item, ", Src: %s", address_with_resolution_to_str(wmem_packet_scope(), &pinfo->net_src));
+
+		proto_tree_add_ipv4(tree, hf_ip_src, tvb, offset, 4, addr);
+		item = proto_tree_add_ipv4(tree, hf_ip_addr, tvb, offset, 4, addr);
+		PROTO_ITEM_SET_HIDDEN(item);
+
+		item = proto_tree_add_string(tree, hf_ip_src_host, tvb, offset, 4, src_host);
+		PROTO_ITEM_SET_GENERATED(item);
+		PROTO_ITEM_SET_HIDDEN(item);
+
+		item = proto_tree_add_string(tree, hf_ip_host, tvb, offset, 4, src_host);
+		PROTO_ITEM_SET_GENERATED(item);
+		PROTO_ITEM_SET_HIDDEN(item);
+	}
+}
+
+static void
+add_ipv4_dst_address(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int offset, proto_item* parent_item)
+{
+	proto_item *item;
+	guint32 addr;
+
+	set_address_tvb(&pinfo->net_dst, AT_IPv4, 4, tvb, offset);
+	copy_address_shallow(&pinfo->dst, &pinfo->net_dst);
+
+	if (tree) {
+		const char *dst_host;
+
+		memcpy(&addr, pinfo->net_dst.data, 4);
+		dst_host = get_hostname(addr);
+		proto_item_append_text(parent_item, ", Dst: %s", address_with_resolution_to_str(wmem_packet_scope(), &pinfo->net_dst));
+
+		proto_tree_add_ipv4(tree, hf_ip_dst, tvb, offset, 4, addr);
+		item = proto_tree_add_ipv4(tree, hf_ip_addr, tvb, offset, 4, addr);
+		PROTO_ITEM_SET_HIDDEN(item);
+
+		item = proto_tree_add_string(tree, hf_ip_dst_host, tvb, offset, 4, dst_host);
+		PROTO_ITEM_SET_GENERATED(item);
+		PROTO_ITEM_SET_HIDDEN(item);
+
+		item = proto_tree_add_string(tree, hf_ip_host, tvb, offset, 4, dst_host);
+		PROTO_ITEM_SET_GENERATED(item);
+		PROTO_ITEM_SET_HIDDEN(item);
+	}
+}
+
+static void
+add_ipv6_src_address(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int offset)
+{
+	proto_item *item;
+
+	set_address_tvb(&pinfo->net_src, AT_IPv6, IPv6_ADDR_SIZE, tvb, offset);
+	copy_address_shallow(&pinfo->src, &pinfo->net_src);
+
+	if (tree) {
+		const char *src_host;
+
+		src_host = address_to_display(wmem_packet_scope(), &pinfo->net_src);
+
+		proto_tree_add_item(tree, hf_ipv6_src, tvb, offset, IPv6_ADDR_SIZE, ENC_NA);
+		item = proto_tree_add_item(tree, hf_ipv6_addr, tvb, offset, IPv6_ADDR_SIZE, ENC_NA);
+		PROTO_ITEM_SET_HIDDEN(item);
+
+		item = proto_tree_add_string(tree, hf_ipv6_src_host, tvb, offset, IPv6_ADDR_SIZE, src_host);
+		PROTO_ITEM_SET_GENERATED(item);
+		PROTO_ITEM_SET_HIDDEN(item);
+
+		item = proto_tree_add_string(tree, hf_ipv6_host, tvb, offset, IPv6_ADDR_SIZE, src_host);
+		PROTO_ITEM_SET_GENERATED(item);
+		PROTO_ITEM_SET_HIDDEN(item);
+	}
+}
+
+static void
+add_ipv6_dst_address(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int offset)
+{
+	proto_item *item;
+
+	set_address_tvb(&pinfo->net_dst, AT_IPv6, IPv6_ADDR_SIZE, tvb, offset);
+	copy_address_shallow(&pinfo->dst, &pinfo->net_dst);
+
+	if (tree) {
+		const char *dst_host;
+
+		dst_host = address_to_display(wmem_packet_scope(), &pinfo->net_dst);
+
+		proto_tree_add_item(tree, hf_ipv6_dst, tvb, offset, IPv6_ADDR_SIZE, ENC_NA);
+		item = proto_tree_add_item(tree, hf_ipv6_addr, tvb, offset, IPv6_ADDR_SIZE, ENC_NA);
+		PROTO_ITEM_SET_HIDDEN(item);
+
+		item = proto_tree_add_string(tree, hf_ipv6_dst_host, tvb, offset, IPv6_ADDR_SIZE, dst_host);
+		PROTO_ITEM_SET_GENERATED(item);
+		PROTO_ITEM_SET_HIDDEN(item);
+
+		item = proto_tree_add_string(tree, hf_ipv6_host, tvb, offset, IPv6_ADDR_SIZE, dst_host);
+		PROTO_ITEM_SET_GENERATED(item);
+		PROTO_ITEM_SET_HIDDEN(item);
+	}
+}
+
+static int
+dissect_ma_wfp_capture_v4_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto)
+{
+	proto_item *ti;
+	proto_tree *wfp_tree;
+	int offset = 0;
+	guint32 ip_proto, payload_length;
+	tvbuff_t *next_tvb;
+
+	ti = proto_tree_add_item(tree, proto, tvb, 0, -1, ENC_NA);
+	wfp_tree = proto_item_add_subtree(ti, ett_ma_wfp_capture_v4);
+
+	add_ipv4_src_address(wfp_tree, tvb, pinfo, offset, ti);
+	offset += 4;
+
+	add_ipv4_dst_address(wfp_tree, tvb, pinfo, offset, ti);
+	offset += 4;
+
+	proto_tree_add_item_ret_uint(wfp_tree, hf_ip_proto, tvb, offset, 1, ENC_NA, &ip_proto);
+	col_add_fstr(pinfo->cinfo, COL_INFO, "%s (%u)", ipprotostr(ip_proto), ip_proto);
+	offset += 1;
+
+	if (proto == proto_ma_wfp_capture2_v4)
+	{
+		proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_flow_context, tvb, offset, 8, ENC_LITTLE_ENDIAN);
+		offset += 8;
+	}
+
+	proto_tree_add_item_ret_uint(wfp_tree, hf_ma_wfp_capture_payload_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &payload_length);
+	offset += 2;
+
+	proto_item_set_len(ti, offset);
+
+	next_tvb = tvb_new_subset_remaining(tvb, offset);
+
+	if (!dissector_try_uint_new(ip_dissector_table, ip_proto, next_tvb, pinfo, tree, TRUE, NULL)) {
+		call_data_dissector(next_tvb, pinfo, tree);
+	}
+
+	return tvb_captured_length(tvb);
+}
+
+static int
+dissect_ma_wfp_capture_v4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture v4");
+	col_clear(pinfo->cinfo, COL_INFO);
+
+	return dissect_ma_wfp_capture_v4_common(tvb, pinfo, tree, proto_ma_wfp_capture_v4);
+}
+
+static int
+dissect_ma_wfp_capture2_v4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture2 v4");
+	col_clear(pinfo->cinfo, COL_INFO);
+
+	return dissect_ma_wfp_capture_v4_common(tvb, pinfo, tree, proto_ma_wfp_capture2_v4);
+}
+
+static int
+dissect_ma_wfp_capture_v6_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto)
+{
+	proto_item *ti;
+	proto_tree *wfp_tree;
+	int offset = 0;
+	guint32 ip_proto, payload_length;
+	tvbuff_t *next_tvb;
+
+	ti = proto_tree_add_item(tree, proto, tvb, 0, -1, ENC_NA);
+	wfp_tree = proto_item_add_subtree(ti, ett_ma_wfp_capture_v4);
+
+	add_ipv6_src_address(wfp_tree, tvb, pinfo, offset);
+	offset += IPv6_ADDR_SIZE;
+
+	add_ipv6_dst_address(wfp_tree, tvb, pinfo, offset);
+	offset += IPv6_ADDR_SIZE;
+
+	proto_tree_add_item_ret_uint(wfp_tree, hf_ip_proto, tvb, offset, 1, ENC_NA, &ip_proto);
+	col_add_fstr(pinfo->cinfo, COL_INFO, "%s (%u)", ipprotostr(ip_proto), ip_proto);
+	offset += 1;
+
+	if (proto == proto_ma_wfp_capture2_v6)
+	{
+		proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_flow_context, tvb, offset, 8, ENC_LITTLE_ENDIAN);
+		offset += 8;
+	}
+
+	proto_tree_add_item_ret_uint(wfp_tree, hf_ma_wfp_capture_payload_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &payload_length);
+	offset += 2;
+
+	next_tvb = tvb_new_subset_remaining(tvb, offset);
+
+	proto_item_set_len(ti, offset);
+
+	if (!dissector_try_uint_new(ip_dissector_table, ip_proto, next_tvb, pinfo, tree, TRUE, NULL)) {
+		call_data_dissector(next_tvb, pinfo, tree);
+	}
+
+	return tvb_captured_length(tvb);
+}
+
+static int
+dissect_ma_wfp_capture_v6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture v6");
+	col_clear(pinfo->cinfo, COL_INFO);
+
+	return dissect_ma_wfp_capture_v6_common(tvb, pinfo, tree, proto_ma_wfp_capture_v6);
+}
+
+static int
+dissect_ma_wfp_capture2_v6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture2 v6");
+	col_clear(pinfo->cinfo, COL_INFO);
+
+	return dissect_ma_wfp_capture_v6_common(tvb, pinfo, tree, proto_ma_wfp_capture2_v6);
+}
+
+static int
+dissect_ma_wfp_capture_auth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto)
+{
+	proto_item *ti;
+	proto_tree *wfp_tree;
+	int offset = 0;
+	guint32 length, ip_proto;
+
+	ti = proto_tree_add_item(tree, proto, tvb, 0, -1, ENC_NA);
+	wfp_tree = proto_item_add_subtree(ti, ett_ma_wfp_capture_auth);
+
+	if (proto == proto_ma_wfp_capture_auth_v4)
+	{
+		add_ipv4_src_address(wfp_tree, tvb, pinfo, offset, ti);
+		offset += 4;
+	}
+	else
+	{
+		add_ipv6_src_address(wfp_tree, tvb, pinfo, offset);
+		offset += IPv6_ADDR_SIZE;
+	}
+
+	if (proto == proto_ma_wfp_capture_auth_v4)
+	{
+		add_ipv4_dst_address(wfp_tree, tvb, pinfo, offset, ti);
+		offset += 4;
+	}
+	else
+	{
+		add_ipv6_dst_address(wfp_tree, tvb, pinfo, offset);
+		offset += IPv6_ADDR_SIZE;
+	}
+
+	proto_tree_add_item_ret_uint(wfp_tree, hf_ma_wfp_capture_auth_src_port, tvb, offset, 2, ENC_LITTLE_ENDIAN, &pinfo->srcport);
+	offset += 2;
+	proto_tree_add_item_ret_uint(wfp_tree, hf_ma_wfp_capture_auth_dst_port, tvb, offset, 2, ENC_LITTLE_ENDIAN, &pinfo->destport);
+	offset += 2;
+	col_add_fstr(pinfo->cinfo, COL_INFO, "%d %s %d", pinfo->srcport, UTF8_RIGHTWARDS_ARROW, pinfo->destport);
+
+	proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_auth_interface_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
+	offset += 8;
+	proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_auth_direction, tvb, offset, 1, ENC_LITTLE_ENDIAN);
+	offset += 1;
+	proto_tree_add_item_ret_uint(wfp_tree, hf_ip_proto, tvb, offset, 1, ENC_LITTLE_ENDIAN, &ip_proto);
+	col_add_fstr(pinfo->cinfo, COL_INFO, "%s (%u)", ipprotostr(ip_proto), ip_proto);
+	offset += 1;
+
+	proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_flow_context, tvb, offset, 8, ENC_LITTLE_ENDIAN);
+	offset += 8;
+	proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_auth_process_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
+	offset += 8;
+	proto_tree_add_item_ret_length(wfp_tree, hf_ma_wfp_capture_auth_process_path, tvb, offset, 2, ENC_LITTLE_ENDIAN|ENC_UTF_16, &length);
+	offset += length;
+
+	proto_item_set_len(ti, offset);
+
+	return tvb_captured_length(tvb);
+}
+
+static int
+dissect_ma_wfp_capture_auth_v4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture AUTH v4");
+	col_clear(pinfo->cinfo, COL_INFO);
+
+	return dissect_ma_wfp_capture_auth_common(tvb, pinfo, tree, proto_ma_wfp_capture_auth_v4);
+}
+
+static int
+dissect_ma_wfp_capture_auth_v6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture AUTH v6");
+	col_clear(pinfo->cinfo, COL_INFO);
+
+	return dissect_ma_wfp_capture_auth_common(tvb, pinfo, tree, proto_ma_wfp_capture_auth_v6);
+}
+
+void proto_register_message_analyzer(void)
+{
+	static hf_register_info hf_wfp_capture[] = {
+		{ &hf_ma_wfp_capture_flow_context,
+			{ "Flow Context", "message_analyzer.wfp_capture.flow_context",
+			FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
+		},
+		{ &hf_ma_wfp_capture_payload_length,
+			{ "Payload Length", "message_analyzer.wfp_capture.payload_length",
+			FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
+		},
+	};
+
+	static hf_register_info hf_wfp_capture_auth[] = {
+		{ &hf_ma_wfp_capture_auth_src_port,
+			{ "Source Port", "message_analyzer.wfp_capture.auth.src_port",
+			FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
+		},
+		{ &hf_ma_wfp_capture_auth_dst_port,
+			{ "Destination Port", "message_analyzer.wfp_capture.auth.dst_port",
+			FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
+		},
+		{ &hf_ma_wfp_capture_auth_interface_id,
+			{ "Interface ID", "message_analyzer.wfp_capture.auth.interface_id",
+			FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
+		},
+		{ &hf_ma_wfp_capture_auth_direction,
+			{ "Direction", "message_analyzer.wfp_capture.auth.direction",
+			FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }
+		},
+		{ &hf_ma_wfp_capture_auth_process_id,
+			{ "Process ID", "message_analyzer.wfp_capture.auth.process_id",
+			FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
+		},
+		{ &hf_ma_wfp_capture_auth_process_path,
+			{ "Payload Length", "message_analyzer.wfp_capture.auth.process_path",
+			FT_UINT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }
+		},
+	};
+
+	static gint *ett[] = {
+		&ett_ma_wfp_capture_v4,
+		&ett_ma_wfp_capture_v6,
+		&ett_ma_wfp_capture_auth,
+	};
+
+	proto_ma_wfp_capture_v4 = proto_register_protocol ("Message Analyzer WFP Capture v4", "MA WFP Capture v4", "message_analyzer.wfp_capture.v4" );
+	proto_ma_wfp_capture2_v4 = proto_register_protocol ("Message Analyzer WFP Capture2 v4", "MA WFP Capture2 v4", "message_analyzer.wfp_capture2.v4" );
+	proto_ma_wfp_capture_v6 = proto_register_protocol ("Message Analyzer WFP Capture v6", "MA WFP Capture v6", "message_analyzer.wfp_capture.v6" );
+	proto_ma_wfp_capture2_v6 = proto_register_protocol ("Message Analyzer WFP Capture2 v6", "MA WFP Capture2 v6", "message_analyzer.wfp_capture2.v6" );
+	proto_ma_wfp_capture_auth_v4 = proto_register_protocol ("Message Analyzer WFP Capture AUTH v4", "MA WFP Capture AUTH v4", "message_analyzer.wfp_capture.auth.v4" );
+	proto_ma_wfp_capture_auth_v6 = proto_register_protocol ("Message Analyzer WFP Capture AUTH v6", "MA WFP Capture AUTH v6", "message_analyzer.wfp_capture.auth.v6" );
+
+	proto_register_field_array(proto_ma_wfp_capture_v4, hf_wfp_capture, array_length(hf_wfp_capture));
+	proto_register_field_array(proto_ma_wfp_capture_auth_v4, hf_wfp_capture_auth, array_length(hf_wfp_capture_auth));
+	proto_register_subtree_array(ett, array_length(ett));
+}
+
+void proto_reg_handoff_message_analyzer(void)
+{
+	dissector_handle_t ma_wfp_capture_v4_handle, ma_wfp_capture2_v4_handle,
+						ma_wfp_capture_v6_handle, ma_wfp_capture2_v6_handle,
+						ma_wfp_capture_auth_v4_handle, ma_wfp_capture_auth_v6_handle;
+
+	ma_wfp_capture_v4_handle = create_dissector_handle(dissect_ma_wfp_capture_v4, proto_ma_wfp_capture_v4);
+	ma_wfp_capture2_v4_handle = create_dissector_handle(dissect_ma_wfp_capture2_v4, proto_ma_wfp_capture2_v4);
+	ma_wfp_capture_v6_handle = create_dissector_handle(dissect_ma_wfp_capture_v6, proto_ma_wfp_capture_v6);
+	ma_wfp_capture2_v6_handle = create_dissector_handle(dissect_ma_wfp_capture2_v6, proto_ma_wfp_capture2_v6);
+	ma_wfp_capture_auth_v4_handle = create_dissector_handle(dissect_ma_wfp_capture_auth_v4, proto_ma_wfp_capture_auth_v4);
+	ma_wfp_capture_auth_v6_handle = create_dissector_handle(dissect_ma_wfp_capture_auth_v6, proto_ma_wfp_capture_auth_v6);
+
+	dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_V4, ma_wfp_capture_v4_handle);
+	dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_2V4, ma_wfp_capture2_v4_handle);
+	dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_V6, ma_wfp_capture_v6_handle);
+	dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_2V6, ma_wfp_capture2_v6_handle);
+
+	dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4, ma_wfp_capture_auth_v4_handle);
+	dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6, ma_wfp_capture_auth_v6_handle);
+
+	ip_dissector_table = find_dissector_table("ip.proto");
+
+	/* Find all of the fields used from other common dissectors */
+	hf_ip_src = proto_registrar_get_id_byname("ip.src");
+	hf_ip_addr = proto_registrar_get_id_byname("ip.addr");
+	hf_ip_src_host = proto_registrar_get_id_byname("ip.src_host");
+	hf_ip_dst = proto_registrar_get_id_byname("ip.dst");
+	hf_ip_dst_host = proto_registrar_get_id_byname("ip.dst_host");
+	hf_ip_host = proto_registrar_get_id_byname("ip.host");
+	hf_ip_proto = proto_registrar_get_id_byname("ip.proto");
+	hf_ipv6_src = proto_registrar_get_id_byname("ipv6.src");
+	hf_ipv6_addr = proto_registrar_get_id_byname("ipv6.addr");
+	hf_ipv6_src_host = proto_registrar_get_id_byname("ipv6.src_host");
+	hf_ipv6_host = proto_registrar_get_id_byname("ipv6.host");
+	hf_ipv6_dst = proto_registrar_get_id_byname("ipv6.dst");
+	hf_ipv6_dst_host = proto_registrar_get_id_byname("ipv6.dst_host");
+
+}
+
+/*
+ * Editor modelines  -  http://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 8
+ * tab-width: 8
+ * indent-tabs-mode: t
+ * End:
+ *
+ * vi: set shiftwidth=8 tabstop=8 noexpandtab:
+ * :indentSize=8:tabSize=8:noTabs=false:
+ */
diff --git a/wiretap/netmon.c b/wiretap/netmon.c
index f8b5394ae7..ed35ce7256 100644
--- a/wiretap/netmon.c
+++ b/wiretap/netmon.c
@@ -1016,7 +1016,41 @@ netmon_process_record(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 			return FAILURE;
 
 		network = pletoh16(trlr.trlr_2_1.network);
-		if ((network & 0xF000) == NETMON_NET_PCAP_BASE) {
+		if ((network >= 0xE080) && (network <= 0xE08A)) {
+			/* These values "violate" the LINKTYPE_ media type values
+			 * in Microsoft Analyzer and are considered a MAExportedMediaType,
+			 * so they need their own WTAP_ types
+			 */
+			switch (network)
+			{
+			case 0xE080:    // "WiFi Message"
+			case 0xE081:    // "Ndis Etw WiFi Channel Message"
+			case 0xE082:    // "Fiddler Netmon Message"
+			case 0xE089:    // "Pef Ndis Msg";
+			case 0xE08A:    // "Pef Ndis Wifi Meta Msg";
+				*err = WTAP_ERR_UNSUPPORTED;
+				*err_info = g_strdup_printf("netmon: network type %u unknown or unsupported", network);
+				return FAILURE;
+			case 0xE083:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_V4;
+				break;
+			case 0xE084:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_V6;
+				break;
+			case 0xE085:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_2V4;
+				break;
+			case 0xE086:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_2V6;
+				break;
+			case 0xE087:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4;
+				break;
+			case 0xE088:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6;
+				break;
+			}
+		} else if ((network & 0xF000) == NETMON_NET_PCAP_BASE) {
 			/*
 			 * Converted pcap file - the LINKTYPE_ value
 			 * is the network value with 0xF000 masked off.
diff --git a/wiretap/wtap.c b/wiretap/wtap.c
index 6e80171398..c9257e728e 100644
--- a/wiretap/wtap.c
+++ b/wiretap/wtap.c
@@ -944,6 +944,24 @@ static struct encap_type_info encap_table_base[] = {
 
 	/* WTAP_ENCAP_NETMON_NETWORK_INFO_EX */
 	{ "Network Monitor Network Info", "netmon_network_info" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_V4 */
+	{ "Message Analyzer WFP Capture v4", "message_analyzer_wfp_capture_v4" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_V6 */
+	{ "Message Analyzer WFP Capture v6", "message_analyzer_wfp_capture_v6" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_2V4 */
+	{ "Message Analyzer WFP Capture2 v4", "message_analyzer_wfp_capture2_v4" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_2V6 */
+	{ "Message Analyzer WFP Capture2 v6", "message_analyzer_wfp_capture2_v6" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4 */
+	{ "Message Analyzer WFP Capture Auth v4", "message_analyzer_wfp_capture_auth_v4" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6 */
+	{ "Message Analyzer WFP Capture Auth v6", "message_analyzer_wfp_capture_auth_v6" },
 };
 
 WS_DLL_LOCAL
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index 77a0205aa6..ff3d5dd816 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -278,6 +278,13 @@ extern "C" {
 #define WTAP_ENCAP_NETMON_HEADER                188
 #define WTAP_ENCAP_NETMON_NET_FILTER            189
 #define WTAP_ENCAP_NETMON_NETWORK_INFO_EX       190
+#define WTAP_ENCAP_MA_WFP_CAPTURE_V4            191
+#define WTAP_ENCAP_MA_WFP_CAPTURE_V6            192
+#define WTAP_ENCAP_MA_WFP_CAPTURE_2V4           193
+#define WTAP_ENCAP_MA_WFP_CAPTURE_2V6           194
+#define WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4       195
+#define WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6       196
+
 /* After adding new item here, please also add new item to encap_table_base array */
 
 #define WTAP_NUM_ENCAP_TYPES                    wtap_get_num_encap_types()