private void WritePcapHeader(PcapFrame.DataLinkTypeEnum dataLinkType, bool littleEndian)
{
List <byte[]> headerFields = new List <byte[]>();
headerFields.Add(ToByteArray(MAGIC_NUMBER));
headerFields.Add(ToByteArray(MAJOR_VERSION_NUMBER));
headerFields.Add(ToByteArray(MINOR_VERSION_NUMBER));
headerFields.Add(ToByteArray((uint)0x00));
headerFields.Add(ToByteArray((uint)0x00));
headerFields.Add(ToByteArray((uint)0xffff));
headerFields.Add(ToByteArray((uint)dataLinkType));
this.writeLock.Wait();
try {
foreach (byte[] field in headerFields)
{
if (littleEndian)
{
Array.Reverse(field);
}
outputStream.Write(field, 0, field.Length);
}
}
finally {
this.writeLock.Release();
}
}
public PcapFileWriter(PcapFrame.DataLinkTypeEnum dataLinkType, Stream outputStream, bool autoFlush = false) : this()
{
this.DataLinkType = dataLinkType;
this.outputStream = outputStream;
this.autoFlush = autoFlush;
this.WritePcapHeader(dataLinkType, false);
}
public PcapParser(IPcapStreamReader pcapStreamReader, byte[] firstFourBytes)
{
this.pcapStreamReader = pcapStreamReader;
this.metadata = new List <KeyValuePair <string, string> >();
//read pcap file header!
byte[] buffer4 = new byte[4]; //32 bits is suitable
byte[] buffer2 = new byte[2]; //16 bits is sometimes needed
//uint wiresharkMagicNumber = 0xa1b2c3d4;
//Section Header Block (mandatory)
if (firstFourBytes == null || firstFourBytes.Length != 4)
{
buffer4 = this.pcapStreamReader.BlockingRead(4);
}
else
{
buffer4 = firstFourBytes;
}
if (this.ToUInt32(buffer4, false) == LIBPCAP_MAGIC_NUMBER)
{
this.littleEndian = false;
this.metadata.Add(new KeyValuePair <string, string>("Endianness", "Big Endian"));
}
else if (this.ToUInt32(buffer4, true) == LIBPCAP_MAGIC_NUMBER)
{
this.littleEndian = true;
this.metadata.Add(new KeyValuePair <string, string>("Endianness", "Little Endian"));
}
else
{
throw new System.IO.InvalidDataException("The stream is not a PCAP file. Magic number is " + this.ToUInt32(buffer4, false).ToString("X2") + " or " + this.ToUInt32(buffer4, true).ToString("X2") + " but should be " + LIBPCAP_MAGIC_NUMBER.ToString("X2") + ".");
}
/* major version number */
this.pcapStreamReader.BlockingRead(buffer2, 0, 2);
ushort majorVersionNumber = ToUInt16(buffer2, this.littleEndian);
/* minor version number */
this.pcapStreamReader.BlockingRead(buffer2, 0, 2);
ushort minorVersionNumber = ToUInt16(buffer2, this.littleEndian);
/* GMT to local correction */
this.pcapStreamReader.BlockingRead(buffer4, 0, 4);
int timezoneOffsetSeconds = (int)ToUInt32(buffer4, this.littleEndian);
/* accuracy of timestamps */
this.pcapStreamReader.BlockingRead(buffer4, 0, 4);
/* max length of captured packets, in octets */
this.pcapStreamReader.BlockingRead(buffer4, 0, 4);
uint maximumPacketSize = ToUInt32(buffer4, this.littleEndian);
/* data link type */
this.pcapStreamReader.BlockingRead(buffer4, 0, 4); //offset = 20 = 0x14
this.dataLinkType = (PcapFrame.DataLinkTypeEnum)ToUInt32(buffer4, this.littleEndian);
this.metadata.Add(new KeyValuePair <string, string>("Data Link Type", dataLinkType.ToString()));
}
public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType, System.IO.FileMode fileMode, int bufferSize, bool littleEndian, FileAccess fileAccess = FileAccess.Write, FileShare fileShare = FileShare.Read) : this()
{
this.FramesWritten = 0;
this.Filename = filename;
this.DataLinkType = dataLinkType;
//this.referenceTime=new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
this.outputStream = new FileStream(filename, fileMode, fileAccess, fileShare, bufferSize, FileOptions.SequentialScan);
if (fileMode != FileMode.Append || outputStream.Position == 0)
{
this.WritePcapHeader(dataLinkType, littleEndian);
}
}
internal PpiPacket(Frame parentFrame, int packetStartIndex, int packetEndIndex)
: base(parentFrame, packetStartIndex, packetEndIndex, "PPI")
{
this.ppiLength = Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 2, true);
if (!this.ParentFrame.QuickParse)
{
base.Attributes.Add("Length", "" + ppiLength);
}
uint dataLinkTypeUInt = Utils.ByteConverter.ToUInt32(parentFrame.Data, packetStartIndex + 4, 4, true);
this.dataLinkType = (PcapFrame.DataLinkTypeEnum)dataLinkTypeUInt;
if (!this.ParentFrame.QuickParse)
{
base.Attributes.Add("Data Link Type", dataLinkType.ToString());
}
}
public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType, System.IO.FileMode fileMode, int bufferSize, bool littleEndian)
{
this.framesWritten = 0;
this.filename = filename;
this.dataLinkType = dataLinkType;
this.referenceTime = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
this.fileStream = new FileStream(filename, fileMode, FileAccess.Write, FileShare.Read, bufferSize, FileOptions.SequentialScan);
this.isOpen = true;
if (fileMode != FileMode.Append || fileStream.Position == 0)
{
List <byte[]> headerFields = new List <byte[]>();
headerFields.Add(ToByteArray(MAGIC_NUMBER));
headerFields.Add(ToByteArray(MAJOR_VERSION_NUMBER));
headerFields.Add(ToByteArray(MINOR_VERSION_NUMBER));
headerFields.Add(ToByteArray((uint)0x00));
headerFields.Add(ToByteArray((uint)0x00));
headerFields.Add(ToByteArray((uint)0xffff));
headerFields.Add(ToByteArray((uint)dataLinkType));
foreach (byte[] field in headerFields)
{
if (littleEndian)
{
Array.Reverse(field);
}
fileStream.Write(field, 0, field.Length);
}
/*
* fileStream.Write(ToByteArray(MAGIC_NUMBER), 0, 4);
* fileStream.Write(ToByteArray(MAJOR_VERSION_NUMBER), 0, 2);
* fileStream.Write(ToByteArray(MINOR_VERSION_NUMBER), 0, 2);
* fileStream.Write(ToByteArray((uint)0x00), 0, 4);//Time zone offset
* fileStream.Write(ToByteArray((uint)0x00), 0, 4);//accuracy of timestamps
* fileStream.Write(ToByteArray((uint)0xffff), 0, 4);//max length of captured packets, in octets
* fileStream.Write(ToByteArray((uint)dataLinkType), 0, 4);
* */
}
}
public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType, System.IO.FileMode fileMode, int bufferSize)
: this(filename, dataLinkType, fileMode, bufferSize, false)
{
//I prefer big endian
}
//public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType) : this(filename, dataLinkType, System.IO.FileMode.Create, 262144){
public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType)
: this(filename, dataLinkType, System.IO.FileMode.Create, 8388608)
{
//nothing more needed
}
public static bool TryGetPacket(out Packets.AbstractPacket packet, PcapFrame.DataLinkTypeEnum dataLinkType, Frame parentFrame, int startIndex, int endIndex)
{
return(TryGetPacket(out packet, GetPacketType(dataLinkType), parentFrame, startIndex, endIndex));
}
public static System.Type GetPacketType(PcapFrame.DataLinkTypeEnum dataLinkType)
{
Type packetType = typeof(Packets.Ethernet2Packet);//use Ethernet as default
if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_ETHERNET)
{
packetType = typeof(Packets.Ethernet2Packet);
}
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_IEEE_802_11 || dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_IEEE_802_11_WLAN_AVS)
{
packetType = typeof(Packets.IEEE_802_11Packet);
}
//802.11 after a RadioTap header
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP)
{
packetType = typeof(Packets.IEEE_802_11RadiotapPacket);
}
//Or raw IP?
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP ||
dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP_2 ||
dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP_3 ||
dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP4)
{
packetType = typeof(Packets.IPv4Packet);
}
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP6)
{
packetType = typeof(Packets.IPv6Packet);
}
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_CHDLC)
{
packetType = typeof(Packets.CiscoHdlcPacket);
}
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_SLL)
{
packetType = typeof(Packets.LinuxCookedCapture);
}
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_PRISM_HEADER)
{
packetType = typeof(Packets.PrismCaptureHeaderPacket);
}
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_PPI)
{
packetType = typeof(Packets.PpiPacket);
}
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_PPP)
{
packetType = typeof(Packets.PointToPointPacket);
}
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_NULL)
{
packetType = typeof(Packets.NullLoopbackPacket);
}
else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_ERF)
{
packetType = typeof(Packets.ErfFrame);
}
return(packetType);
}
