# Transport correlation This note records the current boundary between the native adapter body format and localhost transport. ## Combined captures The combined runner starts Npcap loopback capture, then launches the harness under Frida: ```text analysis\scripts\run_frida_loopback_capture.ps1 ``` Helper scripts: ```text analysis\scripts\map_frida_to_tcp.py analysis\scripts\parse_dcerpc_streams.py analysis\scripts\decode_mixed_local_stream.py ``` ## Capture 043 ```text captures\043-frida-loopback-write-test-int-115 ``` This writes `TestChildObject.TestInt = 115`. It proved exact Frida adapter bodies are not copied verbatim to TCP, but the scalar value `115` was ambiguous because it also matched DCE/RPC call IDs in the same window. ## Capture 044 ```text captures\044-frida-loopback-write-test-int-123456789 ``` This writes a distinctive value: ```text TestChildObject.TestInt = 123456789 ``` Results: | Needle | Result | | --- | --- | | raw little-endian `123456789` | not found anywhere in the full pcap payload scan | | exact 40-byte Frida `PutRequest` body | not found in reassembled TCP streams | | exact 86-byte Frida `TransferData` body | not found in reassembled TCP streams | | exact 88-byte Frida callback body | not found in reassembled TCP streams | | mixed `127.0.0.1:57415 <-> 57433` stream | parsed, raw value not found | | DCE/RPC `::1:49704` streams | parsed 452 PDUs, raw value not found in request/response stubs | Generated files: ```text captures\044-frida-loopback-write-test-int-123456789\frida-to-tcp-map.tsv captures\044-frida-loopback-write-test-int-123456789\dcerpc-stream-pdus.tsv captures\044-frida-loopback-write-test-int-123456789\mixed-stream-57415-to-57433.tsv captures\044-frida-loopback-write-test-int-123456789\mixed-stream-57433-to-57415.tsv ``` ## Implication The `CNmxAdapter::PutRequest` and `CNmxAdapter::TransferData` buffers are an internal adapter representation, not the TCP wire format. The wire transport does not expose the write value as plain little-endian scalar bytes for this distinctive-value capture. The next reverse-engineering step is to decode the structural bridge between adapter bodies and transport messages: 1. Correlate Frida call timestamps to DCE/RPC call IDs and mixed-stream record windows. 2. Decode DCE/RPC NDR stubs for the observed context/opnum pairs. 3. Hook deeper in `NmxSvc.exe` around `CNmxControler::TransferData` and `CNmxService::TransferData` so both sides of the adapter-to-service boundary can be compared before TCP serialization.