Beispiel #1
0
        public byte GetFieldByte(string name)
        {
            if (this.Parser == null)
            {
                return(0);
            }

            if (!this.Parser.HasField(name))
            {
                return(0);
            }

            uint offset, bsize;
            uint fieldId = this.Parser.Field(name);

            if (0 == NetmonAPI.NmGetFieldOffsetAndSize(ParsedFrame, fieldId, out offset, out bsize))
            {
                if (bsize == 8)
                {
                    byte uRet;
                    if (0 == NetmonAPI.NmGetFieldValueNumber8Bit(ParsedFrame, fieldId, out uRet))
                    {
                        return(uRet);
                    }
                }
            }
            return(0);
        }
Beispiel #2
0
        public static StringBuilder GetRequestResponseRawStream(IntPtr hParsedFrame, uint payLodId, int frameCount)
        {
            byte[]        rawHTTPByte;
            char[]        rawHTTPChar;
            UInt32        pulFieldOffset;
            UInt32        pulFieldBitLength;
            UInt32        ulReturnLength;
            uint          errno                 = 0;
            string        tempstring            = null;
            StringBuilder rawHTTPStringRequest  = new StringBuilder();
            StringBuilder rawHTTPStringResponse = new StringBuilder();

            if (payLodId != 0)
            {
                errno = NetmonAPI.NmGetFieldOffsetAndSize(hParsedFrame, payLodId, out pulFieldOffset, out pulFieldBitLength);
                if (errno == 0)
                {
                    rawHTTPByte = new byte[pulFieldBitLength];
                    unsafe
                    {
                        fixed(byte *pstr = rawHTTPByte)
                        {
                            errno      = NetmonAPI.NmGetFieldValueByteArray(hParsedFrame, payLodId, pulFieldBitLength, pstr, out ulReturnLength);
                            tempstring = Encoding.UTF8.GetString(rawHTTPByte, 0, rawHTTPByte.Length);
                            rawHTTPStringRequest.Append(tempstring);
                        }
                    }
                }
            }
            else
            {
                for (uint j = 0; j < frameCount; j++)
                {
                    errno       = NetmonAPI.NmGetFieldOffsetAndSize(hParsedFrame, j, out pulFieldOffset, out pulFieldBitLength);
                    rawHTTPChar = new char[pulFieldBitLength];

                    unsafe
                    {
                        fixed(char *pstr = rawHTTPChar)
                        {
                            errno = NetmonAPI.NmGetFieldValueString(hParsedFrame, j, pulFieldBitLength, pstr);


                            if (errno == 0)
                            {
                                rawHTTPStringRequest.Append(rawHTTPChar);
                            }
                        }
                    }
                }
            }

            return(rawHTTPStringRequest);
        }
Beispiel #3
0
        /// <summary>
        /// http://blogs.technet.com/b/netmon/archive/2009/10/07/using-nmapi-to-access-tcp-payload.aspx
        /// use property: property.tcppayloadlength, fields: tcp.srcport, tcp.dataoffset.dataoffset to calculate the payload length, and the offset in the raw frame.
        /// use NmGetPartialRawFrame to get the payload.
        /// </summary>
        private void GetTcpPayLoad()
        {
            unsafe
            {
                uint ret;
                byte tcpHeaderSize;            //
                uint tcpSrcOffset, tcpSrcSize; // offset: bits
                var  tcpPayloadLength = PropertyValueDict[NetmonPropertyName.TcpPayloadLength];
                int  payloadlen;
                bool result = Int32.TryParse(tcpPayloadLength.ToString(), out payloadlen);

                // Allocate a buffer for payload data. The maximum length=1460 bytes
                IntPtr buff = Marshal.AllocHGlobal(1500);
                if (payloadlen > 0)
                {
                    // Get the Data Offset, used to determine the TCP header size
                    ret = NetmonAPI.NmGetFieldValueNumber8Bit(_FrameInfoUnit.ParsedFrame, _FrameInfoUnit.FieldIdDict[NetmonFieldName.TcpDataSet], out tcpHeaderSize);
                    //Get the Offset of TCP.SrcPort which is the first field in TCP.
                    ret = NetmonAPI.NmGetFieldOffsetAndSize(_FrameInfoUnit.ParsedFrame, _FrameInfoUnit.FieldIdDict[NetmonFieldName.TcpSrcPort], out tcpSrcOffset, out tcpSrcSize);
                    // Read in the partial frame.  The Offset is in bits.  TCPHeaderSize is off by a factor of 4.
                    uint retlen;
                    uint offset = (uint)(tcpSrcOffset / 8 + tcpHeaderSize * 4);
                    ret = NetmonAPI.NmGetPartialRawFrame(_FrameInfoUnit.RawFrame, offset, (uint)payloadlen, (byte *)buff, out retlen);
                    // cast the intptr to the byte.
                    byte[] _payload = new byte[payloadlen];
                    Marshal.Copy(buff, _payload, 0, payloadlen);

                    //var str = Encoding.Default.GetString(_payload);
                    frameUnit.fieldUnit.PayLoad = _payload;

                    /*
                     * if (protocolname == "TCP")
                     * {
                     * frameUnit.fieldUnit.tcpPayLoad = _payload;
                     * }
                     * else
                     * {
                     * frameUnit.fieldUnit.httpPayLoad = _payload;
                     * // Console.WriteLine("http payload:");
                     * //Console.WriteLine(str);
                     * }*/
                }
                Marshal.Release(buff);
            }
        }
Beispiel #4
0
        public byte[] GetFieldBuffer(string name)
        {
            if (this.Parser == null)
            {
                return(null);
            }

            if (!this.Parser.HasField(name))
            {
                return(null);
            }

            uint offset, bsize;
            uint fieldId = this.Parser.Field(name);

            if (0 == NetmonAPI.NmGetFieldOffsetAndSize(ParsedFrame, fieldId, out offset, out bsize))
            {
                if (bsize > 0)
                {
                    uint   size  = bsize / 8;
                    byte[] bytes = new byte[bsize / 8];
                    UInt32 uRet;
                    unsafe
                    {
                        fixed(byte *ptr = bytes)
                        {
                            if (0 == NetmonAPI.NmGetFieldInBuffer(ParsedFrame, fieldId, size, ptr, out uRet))
                            {
                                return(bytes);
                            }
                        }
                    }
                }
            }
            return(null);
        }