/// <summary> /// Write interface description block to output file based on specified interface instance /// </summary> private UInt32 WriteInterfaceDescriptionBlock(BinaryWriter binWriter, PcapNgInterface iface) { var blockTotalLength = this.CountInterfaceDescriptionBlockSize(); binWriter.Write((UInt32)0x00000001); // Block type binWriter.Write(blockTotalLength); // Block total length binWriter.Write(iface.LinkType); // LinkType binWriter.Write((UInt16)0x0000); // reserved binWriter.Write(iface.SnapLen); // Option tsresol : binWriter.Write((UInt16)PcapNgInterface.InterfaceOptions.IfTsresol); binWriter.Write((UInt16)0x0001); binWriter.Write((Byte)0x09); // in nanoseconds binWriter.Write((Byte)0x00); // padding binWriter.Write((Byte)0x00); // padding binWriter.Write((Byte)0x00); // padding // Option opt_endofopt : binWriter.Write((UInt32)0x0000); binWriter.Write(blockTotalLength); // Block total length return(blockTotalLength); }
private PcapNgInterface _iface; // holds link to interface to which frame belongs /// <summary> /// Constructor used when indexing /// </summary> public PmFramePcapNg( PmCaptureBase pmCapture, Int64 fraIndex, Int64 fraOffset, PmLinkType pmLinkType, DateTime timeStamp, Int64 oriLength, Int64 incLength, FrameBLockType type, PcapNgInterface iface) : base(pmCapture, pmLinkType, timeStamp, incLength, PmFrameType.PcapNg, fraIndex, oriLength) { this.FrameOffset = fraOffset; this._blockType = type; this._iface = iface; UInt32 startOffset = 0; switch (this._blockType) { case FrameBLockType.EnhancedPacket: startOffset = 28; break; case FrameBLockType.SimplePacket: startOffset = 12; break; case FrameBLockType.PacketBlock: startOffset = 28; break; } this.L2Offset = this.FrameOffset + startOffset; }
/// <summary> /// Create PCAP-ng file that includes all frames stored in current instace. /// For each link type will be created "virtual interface" and all frames /// with this link type will in output file belong to it. /// </summary> private Boolean CreatePcapNgOutput(String outputFile) { try { // holds list of all link types inclede in frame vector var framesLinkTypes = new List <PmLinkType>(); // TODO - optimize LINQ ? foreach (var fr in this.PmCapture.Frames) { if (!framesLinkTypes.Contains(fr.PmLinkType)) { framesLinkTypes.Add(fr.PmLinkType); } } // holds list of new created virtual interfaces : var virtualInterfaces = new List <PcapNgInterface>(); // directory for faster lookup : var virtualInterfacesDictionary = new Dictionary <PmLinkType, PcapNgInterface>(); UInt16 ifaceId = 0; foreach (var type in framesLinkTypes) { // create new itnerface for each link type : var newIface = new PcapNgInterface((UInt16)ConvertCommonLayer2ToPcapNgLayer2(type), ifaceId); virtualInterfaces.Add(newIface); virtualInterfacesDictionary.Add(type, newIface); ifaceId++; } // open output file stream : var binWriter = new BinaryWriter(File.Open(Path.GetFullPath(outputFile), FileMode.Create, FileAccess.Write, FileShare.ReadWrite)); // skipt section header for now - will be add at end binWriter.BaseStream.Seek(this.CountSectionHeaderBlockSize(), SeekOrigin.Begin); var sectionSize = virtualInterfaces.Aggregate <PcapNgInterface, UInt64>(0, (current, iface) => current + this.WriteInterfaceDescriptionBlock(binWriter, iface)); sectionSize = this.PmCapture.Frames.Aggregate(sectionSize, (current, fr) => current + this.WriteEnhancedPacketBlock(binWriter, fr, virtualInterfacesDictionary)); // add section header size (section size is now known) : binWriter.BaseStream.Seek(0, SeekOrigin.Begin); this.WriteSectionHeaderBlock(binWriter, sectionSize); // close output file binWriter.Close(); } /* If anything went bad generate exception and return false */ catch (Exception ex) //todo to general { //todo fix //Log.Error("PmCaptureProcessorPcapNg General error", ex); PmConsolePrinter.PrintError(ex.Message); return(false); } /* otherwise return true if everything went good */ return(true); }
private DateTime ConvertUint64ToTimeStamp(UInt64 data, PcapNgInterface iface) { UInt64 mult; if (iface.HasTsresol) { var tsresol = iface.Tsresol; var pow = (tsresol & 0x7F); if ((tsresol & 0x80) == 0) // negPower of 10 { mult = (UInt64)Math.Pow(10, pow); } else // negPower of 2 { mult = (UInt64)Math.Pow(2, pow); } } else { mult = 1000000; } var sec = data / mult; var frac = data % mult; sec += iface.Tzone; const UInt32 ticksPerSecond = 10000000; var fracMult = ticksPerSecond / mult; // Console.WriteLine("Ticks per second : " + DateTime.TicksPerSecond); var pTime = new DateTime(1970, 01, 01, 0, 0, 0); pTime = pTime.AddSeconds(sec); pTime = pTime.AddTicks((Int64)(frac * fracMult)); return(pTime); }
private void ParseInterfaceDescriptionBlock(Int64 offset, Boolean swapValue, UInt16 ifaceId, List <PcapNgInterface> sectionIfaceList) { var linkType = this.GetInterfaceLinkType(offset, swapValue); var snapLen = this.GetInterfaceSnapLen(offset, swapValue); var newIface = new PcapNgInterface(snapLen, linkType, ifaceId); sectionIfaceList.Add(newIface); var blockLen = this.GetGeneralBlockTotalLength(offset, swapValue); var currentOffset = offset + 16; var eofBlockOffset = offset + blockLen - 4; // PmConsolePrinter.PrintDebug("Interface description block " + currentOffset + " " + eofBlockOffset); var eofFound = false; while (!eofFound && currentOffset < eofBlockOffset) { var optionCode = this.GetOptionCode(currentOffset, swapValue); var optionLength = this.GetOptionLength(currentOffset, swapValue); var dataOffset = currentOffset + 4; //Console.WriteLine("Option :" + (PcapNgInterface.InterfaceOptions)optionCode + " " + optionLength + " Lenght : "+ optionLength); switch ((PcapNgInterface.InterfaceOptions)optionCode) { case PcapNgInterface.InterfaceOptions.OptEndofopt: eofFound = true; break; case PcapNgInterface.InterfaceOptions.IfName: newIface.IfName = this.GetOptionString(dataOffset, optionLength); break; case PcapNgInterface.InterfaceOptions.IfDescription: newIface.IfDescription = this.GetOptionString(dataOffset, optionLength); break; case PcapNgInterface.InterfaceOptions.IfIPv4Addr: newIface.Addresses.Add(new IPAddress(GetOptionBytes(dataOffset, optionLength), 4)); break; case PcapNgInterface.InterfaceOptions.IfIPv6Addr: newIface.Addresses.Add(new IPAddress(this.GetOptionBytes(dataOffset, optionLength), 4)); break; case PcapNgInterface.InterfaceOptions.IfMaCaddr: newIface.MacAddress = this.GetOptionBytes(dataOffset, optionLength); break; case PcapNgInterface.InterfaceOptions.IfEuIaddr: newIface.EuiAddr = this.GetOptionBytes(dataOffset, optionLength); break; case PcapNgInterface.InterfaceOptions.IfSpeed: newIface.Speed = this.GetOptionUint64(dataOffset, swapValue); break; case PcapNgInterface.InterfaceOptions.IfTsresol: newIface.Tsresol = this.GetOptionByte(dataOffset); newIface.HasTsresol = true; break; case PcapNgInterface.InterfaceOptions.IfTzone: newIface.Tzone = this.GetOptionUint64(dataOffset, swapValue); break; case PcapNgInterface.InterfaceOptions.IfFilter: newIface.Filter = this.GetOptionBytes(dataOffset, optionLength); break; case PcapNgInterface.InterfaceOptions.IfOs: newIface.Os = this.GetOptionString(dataOffset, optionLength); break; case PcapNgInterface.InterfaceOptions.IfFcslen: newIface.Fcslen = this.GetOptionByte(dataOffset); break; case PcapNgInterface.InterfaceOptions.IfTsoffset: newIface.Tsoffset = this.GetOptionUint64(dataOffset, swapValue); break; } currentOffset += this.AdjustLength(optionLength) + 4; } }