// PCAPNG
// Physical File Layout
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | SHB | IDB | EPB | EPB | ... | EPB |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
public void writePacket(EventRecord record, byte[] headerRecord = null)
{
EnhancedPacketBlock packet = null;
if (headerRecord != null && NdisEtwMetadata.isNdisEtwMetadata(headerRecord))
{
NdisEtwMetadata header = new NdisEtwMetadata(headerRecord);
packet = new EnhancedPacketBlock(record, header, maxPacketSize);
packetsWithHeaders++;
}
else
{
packet = new EnhancedPacketBlock(record, maxPacketSize);
}
totalSectionCount += packet.totalByteLength;
packetCount++;
fileWriter.Write(packet.totalBytes);
}
public static long ConvertEtlToPcap(string source, string destination, UInt32 maxPacketSize, UInt32 networkType = 1)
{
int result = 0;
var networkTrace = new Guid("{00000001-0000-0000-0000-000000000000}");
var ndisProviderId = new Guid("{2ed6006e-4729-4609-b423-3ee7bcd678ef}");
using (BinaryWriter writer = new BinaryWriter(File.Open(destination, FileMode.Create)))
{
pcapng ngFile = null;
if (destination.EndsWith(".pcapng"))
{
ngFile = new pcapng(writer, maxPacketSize, (UInt16)networkType);
}
else
{
UInt32 magic_number = 0xa1b2c3d4;
UInt16 version_major = 2;
UInt16 version_minor = 4;
Int32 thiszone = 0;
UInt32 sigfigs = 0;
UInt32 snaplen = maxPacketSize;
UInt32 network = networkType;
writer.Write(magic_number);
writer.Write(version_major);
writer.Write(version_minor);
writer.Write(thiszone);
writer.Write(sigfigs);
writer.Write(snaplen);
writer.Write(network);
}
using (var reader = new EventLogReader(source, PathType.FilePath))
{
EventRecord record;
List <byte> header = new List <byte>();
while ((record = reader.ReadEvent()) != null)
{
using (record)
{
if (record.ActivityId == networkTrace ||
record.ProviderId == ndisProviderId)
{
if (ngFile != null && NdisEtwMetadata.isNdisEtwMetadata(record))
{
header.Clear();
header.AddRange(NdisEtwMetadata.NdisEtwMetadataBytes(record));
continue;
}
result++;
if (ngFile != null)
{
if (header.Count > 0)
{
ngFile.writePacket(record, header.ToArray());
}
else
{
ngFile.writePacket(record);
}
header.Clear();
}
else
{
DateTime timeCreated = (DateTime)record.TimeCreated;
UInt32 ts_sec = (UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds);
UInt32 ts_usec = (UInt32)(((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalMilliseconds) - ((UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds * 1000))) * 1000;
UInt32 incl_len = (UInt32)record.Properties[2].Value;
if (incl_len > maxPacketSize)
{
Console.WriteLine($"Packet size of {incl_len} exceeded max packet size {maxPacketSize}, packet ignored");
}
UInt32 orig_len = incl_len;
writer.Write(ts_sec);
writer.Write(ts_usec);
writer.Write(incl_len);
writer.Write(orig_len);
writer.Write((byte[])record.Properties[3].Value);
}
}
}
}
if (ngFile != null)
{
ngFile.UpdateHeaderBlock();
}
return(result);
}
}
}
public EnhancedPacketBlock(EventRecord record, NdisEtwMetadata header, UInt32 maxPacketSize) :
this(record, maxPacketSize, header.ToString())
{
}