/// <summary> /// Parse bytes into a packet /// </summary> /// <param name="LinkLayer"> /// A <see cref="LinkLayers"/> /// </param> /// <param name="PacketData"> /// A <see cref="System.Byte"/> /// </param> /// <returns> /// A <see cref="Packet"/> /// </returns> public static Packet ParsePacket(LinkLayers LinkLayer, byte[] PacketData) { Packet p; var bas = new ByteArraySegment(PacketData); log.DebugFormat("LinkLayer {0}", LinkLayer); switch (LinkLayer) { case LinkLayers.Ethernet: p = new EthernetPacket(bas); break; case LinkLayers.LinuxSLL: p = new LinuxSLLPacket(bas); break; case LinkLayers.Ppp: p = new PPPPacket(bas); break; case LinkLayers.Ieee80211: p = new Ieee80211MacFrame(bas); break; case LinkLayers.Ieee80211_Radio: p = new Ieee80211RadioPacket(bas); break; default: throw new System.NotImplementedException("LinkLayer of " + LinkLayer + " is not implemented"); } return(p); }
public void IPv6PacketTestParsing(String pcapPath, LinkLayers linkLayer) { var dev = new CaptureFileReaderDevice(pcapPath); PcapPacket p; using (FileStream fsin = File.Open(pcapPath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite)) { PcapStream ps = new PcapStream(); ps.Initialize(fsin); p = ps.GetPacket(); Int32 packetIndex = 0; while (p != null) { switch (packetIndex) { case 0: VerifyPacket0(p.Packet, linkLayer); break; default: Assert.Fail("didn't expect to get to packetIndex " + packetIndex); break; } packetIndex++; p = ps.GetPacket(); } } }
public static BpfProgram Create(LinkLayers linktype, string filter, int optimize = 1, uint netmask = 0) { using (var handle = LibPcapSafeNativeMethods.pcap_open_dead((int)linktype, Pcap.MAX_PACKET_SIZE)) { return(Create(handle, filter, optimize, netmask)); } }
// icmpv6 public void VerifyPacket0(Packet p, RawCapture rawCapture, LinkLayers linkLayer) { Assert.IsNotNull(p); Console.WriteLine(p.ToString()); Assert.AreEqual(linkLayer, rawCapture.LinkLayerType); if (linkLayer == LinkLayers.Ethernet) { EthernetPacket e = (EthernetPacket)p; Assert.AreEqual(PhysicalAddress.Parse("00-A0-CC-D9-41-75"), e.SourceHwAddress); Assert.AreEqual(PhysicalAddress.Parse("33-33-00-00-00-02"), e.DestinationHwAddress); } var ip = (IpPacket)p.Extract(typeof(IpPacket)); Console.WriteLine("ip {0}", ip.ToString()); Assert.AreEqual(System.Net.IPAddress.Parse("fe80::2a0:ccff:fed9:4175"), ip.SourceAddress); Assert.AreEqual(System.Net.IPAddress.Parse("ff02::2"), ip.DestinationAddress); Assert.AreEqual(IpVersion.IPv6, ip.Version); Assert.AreEqual(IPProtocolType.ICMPV6, ip.Protocol); Assert.AreEqual(16, ip.PayloadPacket.Bytes.Length, "ip.PayloadPacket.Bytes.Length mismatch"); Assert.AreEqual(255, ip.HopLimit); Assert.AreEqual(255, ip.TimeToLive); Assert.AreEqual(0x3a, (byte)ip.NextHeader); Console.WriteLine("Failed: ip.ComputeIPChecksum() not implemented."); Assert.AreEqual(1221145299, rawCapture.Timeval.Seconds); Assert.AreEqual(453568.000, rawCapture.Timeval.MicroSeconds); }
public AResult Handle(LinkLayers linkLayers, Packet packet, object?context, CancellationToken cancellationToken) { var lastResult = AResult.Continue(); foreach (var analyzer in _analyzers) { lastResult = analyzer.Handle(linkLayers, packet, context, cancellationToken); if (!lastResult.IsContinue) { return(AResult.Stop()); } if (lastResult.IsNewContext) { context = lastResult.Context; } } // This way we don't leak third party assembly's // context to outer world. // But third party assembly can still capture // outer world's context. // So, is this worth it? return(lastResult.IsContinue ? AResult.Continue() : AResult.Stop()); }
public void IPv6PacketTestParsing(string pcapPath, LinkLayers linkLayers) { var dev = new CaptureFileReaderDevice(NUnitSetupClass.CaptureDirectory + pcapPath); dev.Open(); RawCapture rawCapture; var packetIndex = 0; while ((rawCapture = dev.GetNextPacket()) != null) { var p = Packet.ParsePacket(rawCapture.GetLinkLayers(), rawCapture.Data); Console.WriteLine("got packet"); switch (packetIndex) { case 0: { VerifyPacket0(p, rawCapture, linkLayers); break; } default: { Assert.Fail("didn't expect to get to packetIndex " + packetIndex); break; } } packetIndex++; } dev.Close(); }
public void VerifyPacket1(Packet p, RawCapture rawCapture, LinkLayers linkLayers) { Assert.IsNotNull(p); Console.WriteLine(p.ToString()); Assert.AreEqual(linkLayers, rawCapture.GetLinkLayers()); if (linkLayers == LinkLayers.Ethernet) { var e = (EthernetPacket)p; Assert.AreEqual(PhysicalAddress.Parse("F894C22EFAD1"), e.SourceHardwareAddress); Assert.AreEqual(PhysicalAddress.Parse("333300000016"), e.DestinationHardwareAddress); } var ip = p.Extract <IPv6Packet>(); Console.WriteLine("ip {0}", ip); Assert.AreEqual(IPAddress.Parse("fe80::d802:3589:15cf:3128"), ip.SourceAddress); Assert.AreEqual(IPAddress.Parse("ff02::16"), ip.DestinationAddress); Assert.AreEqual(IPVersion.IPv6, ip.Version); Assert.AreEqual(ProtocolType.IcmpV6, ip.Protocol); Assert.AreEqual(28, ip.PayloadPacket.Bytes.Length, "ip.PayloadPacket.Bytes.Length mismatch"); Assert.AreEqual(1, ip.HopLimit); Assert.AreEqual(1, ip.TimeToLive); Assert.AreEqual(0x3a, (byte)ip.Protocol); Console.WriteLine("Failed: ip.ComputeIPChecksum() not implemented."); Assert.AreEqual(1543415539, rawCapture.Timeval.Seconds); Assert.AreEqual(841441.000, rawCapture.Timeval.MicroSeconds); Assert.AreEqual(1, ip.ExtensionHeaders.Count); Assert.AreEqual(6, ip.ExtensionHeaders[0].Payload.Length); }
// icmpv6 public void VerifyPacket0(Packet p, RawCapture rawCapture, LinkLayers linkLayers) { Assert.IsNotNull(p); Console.WriteLine(p.ToString()); Assert.AreEqual(linkLayers, rawCapture.GetLinkLayers()); if (linkLayers == LinkLayers.Ethernet) { var e = (EthernetPacket)p; Assert.AreEqual(PhysicalAddress.Parse("00-A0-CC-D9-41-75"), e.SourceHardwareAddress); Assert.AreEqual(PhysicalAddress.Parse("33-33-00-00-00-02"), e.DestinationHardwareAddress); } var ip = p.Extract <IPPacket>(); Console.WriteLine("ip {0}", ip); Assert.AreEqual(IPAddress.Parse("fe80::2a0:ccff:fed9:4175"), ip.SourceAddress); Assert.AreEqual(IPAddress.Parse("ff02::2"), ip.DestinationAddress); Assert.AreEqual(IPVersion.IPv6, ip.Version); Assert.AreEqual(ProtocolType.IcmpV6, ip.Protocol); Assert.AreEqual(16, ip.PayloadPacket.Bytes.Length, "ip.PayloadPacket.Bytes.Length mismatch"); Assert.AreEqual(255, ip.HopLimit); Assert.AreEqual(255, ip.TimeToLive); Console.WriteLine("Failed: ip.ComputeIPChecksum() not implemented."); Assert.AreEqual(1221145299, rawCapture.Timeval.Seconds); Assert.AreEqual(453568.000, rawCapture.Timeval.MicroSeconds); }
public void IcmpV4Parsing(string pcapPath, LinkLayers linkLayers) { var dev = new CaptureFileReaderDevice(NUnitSetupClass.CaptureDirectory + pcapPath); dev.Open(); var rawCapture = dev.GetNextPacket(); dev.Close(); // Parse an icmp request var p = Packet.ParsePacket(rawCapture.GetLinkLayers(), rawCapture.Data); Assert.IsNotNull(p); Assert.AreEqual(linkLayers, rawCapture.GetLinkLayers()); var icmp = p.Extract <IcmpV4Packet>(); Console.WriteLine(icmp.GetType()); Assert.AreEqual(IcmpV4TypeCode.EchoRequest, icmp.TypeCode); Assert.AreEqual(0xe05b, icmp.Checksum); Assert.AreEqual(0x0200, icmp.Id); Assert.AreEqual(0x6b00, icmp.Sequence); // check that the message matches const string expectedString = "abcdefghijklmnopqrstuvwabcdefghi"; var expectedData = System.Text.Encoding.ASCII.GetBytes(expectedString); Assert.AreEqual(expectedData, icmp.Data); }
private void MarshalRawPacket(IntPtr /* pcap_pkthdr* */ header, IntPtr data) { //RawCapture p; // marshal the header PcapHeader pcapHeader = PcapHeader.FromPointer(header); var PacketData = new byte[pcapHeader.CaptureLength]; Marshal.Copy(data, PacketData, 0, (int)pcapHeader.CaptureLength); LinkLayers linkType = (LinkLayers)pcap_datalink(PcapHandle); //we're only interested in the WiFi Traffic if (linkType == LinkLayers.Ieee80211 && PacketData.Length > 2) { ushort FrameFieldValue = (ushort)(PacketData[0] << 8 | PacketData[1]); FrameControlField field = new FrameControlField(FrameFieldValue); switch (field.SubType) { case FrameSubTypes.ManagementBeacon: { break; } } } //p = new RawCapture(LinkType, new PosixTimeval(pcapHeader.Seconds, pcapHeader.MicroSeconds), pkt_data); }
public void IPv6PacketTestParsing(String pcapPath, LinkLayers linkLayer) { var dev = new CaptureFileReaderDevice(pcapPath); dev.Open(); RawCapture rawCapture; Int32 packetIndex = 0; while ((rawCapture = dev.GetNextPacket()) != null) { var p = Packet.ParsePacket(rawCapture.LinkLayerType, rawCapture.Data); Console.WriteLine("got packet"); switch (packetIndex) { case 0: this.VerifyPacket0(p, rawCapture, linkLayer); break; default: Assert.Fail("didn't expect to get to packetIndex " + packetIndex); break; } packetIndex++; } dev.Close(); }
public void ICMPv4Parsing(String pcapPath, LinkLayers linkLayer) { Packet p; using (FileStream fsin = File.Open(pcapPath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite)) { PcapStream ps = new PcapStream(); ps.Initialize(fsin); p = ps.GetPacket().Packet; } Assert.IsNotNull(p); var icmp = (ICMPv4Packet)p.Extract(typeof(ICMPv4Packet)); Console.WriteLine(icmp.GetType()); Assert.AreEqual(ICMPv4TypeCodes.EchoRequest, icmp.TypeCode); Assert.AreEqual(0xe05b, icmp.Checksum); Assert.AreEqual(0x0200, icmp.ID); Assert.AreEqual(0x6b00, icmp.Sequence); // check that the message matches String expectedString = "abcdefghijklmnopqrstuvwabcdefghi"; Byte[] expectedData = System.Text.ASCIIEncoding.ASCII.GetBytes(expectedString); Assert.AreEqual(expectedData, icmp.Data); }
/// <summary>Parse bytes into a packet</summary> /// <param name="LinkLayer"> /// A <see cref="T:PacketDotNet.LinkLayers" /></param> /// <param name="PacketData"> /// A <see cref="T:System.Byte" /></param> /// <returns> /// A <see cref="T:PacketDotNet.Packet" /></returns> public static Packet ParsePacket(LinkLayers LinkLayer, byte[] PacketData) { ByteArraySegment bas = new ByteArraySegment(PacketData); switch (LinkLayer) { case LinkLayers.Ethernet: return((Packet) new EthernetPacket(bas)); case LinkLayers.Ppp: return((Packet) new PPPPacket(bas)); case LinkLayers.Ieee80211: return((Packet)MacFrame.ParsePacket(bas)); case LinkLayers.LinuxSLL: return((Packet) new LinuxSLLPacket(bas)); case LinkLayers.Ieee80211_Radio: return((Packet) new RadioPacket(bas)); case LinkLayers.PerPacketInformation: return((Packet) new PpiPacket(bas)); default: throw new NotImplementedException("LinkLayer of " + (object)LinkLayer + " is not implemented"); } }
public void ICMPv4Parsing(String pcapPath, LinkLayers linkLayer) { var dev = new CaptureFileReaderDevice(pcapPath); dev.Open(); var rawCapture = dev.GetNextPacket(); dev.Close(); // Parse an icmp request Packet p = Packet.ParsePacket(rawCapture.LinkLayerType, rawCapture.Data); Assert.IsNotNull(p); Assert.AreEqual(linkLayer, rawCapture.LinkLayerType); var icmp = (ICMPv4Packet)p.Extract(typeof(ICMPv4Packet)); Console.WriteLine(icmp.GetType()); Assert.AreEqual(ICMPv4TypeCodes.EchoRequest, icmp.TypeCode); Assert.AreEqual(0xe05b, icmp.Checksum); Assert.AreEqual(0x0200, icmp.ID); Assert.AreEqual(0x6b00, icmp.Sequence); // check that the message matches String expectedString = "abcdefghijklmnopqrstuvwabcdefghi"; Byte[] expectedData = System.Text.ASCIIEncoding.ASCII.GetBytes(expectedString); Assert.AreEqual(expectedData, icmp.Data); }
public void GreIPv4Parsing() { var dev = new CaptureFileReaderDevice(NUnitSetupClass.CaptureDirectory + "gre_all_options.pcap"); dev.Open(); var rawCapture = dev.GetNextPacket(); dev.Close(); LinkLayers linkLayers = rawCapture.GetLinkLayers(); if (linkLayers == LinkLayers.Ethernet) { Console.WriteLine("Linklayer is ethernet"); // Linklayer Packet p = Packet.ParsePacket(linkLayers, rawCapture.Data); Assert.IsNotNull(p); // Ethernet EthernetPacket eth = p.Extract <EthernetPacket>(); Assert.IsNotNull(eth); if (eth.Type == EthernetType.IPv4) { Console.WriteLine("IPv4 inside ethernet"); // IPv4 IPv4Packet ipv4 = eth.Extract <IPv4Packet>(); Assert.IsNotNull(ipv4); if (ipv4.Protocol == ProtocolType.Gre) { Console.WriteLine("GRE inside IPv4"); // Gre GrePacket grep = ipv4.Extract <GrePacket>(); Assert.IsNotNull(grep); // String output Console.WriteLine(grep.ToString()); // Get header if (grep.HasCheckSum) { Console.WriteLine("GRE has checksum flag"); } if (grep.HasKey) { Console.WriteLine("GRE has key flag"); } if (grep.HasReserved) { Console.WriteLine("GRE has reserved flag"); } if (grep.HasSequence) { Console.WriteLine("GRE has sequence flag"); } Assert.AreEqual(grep.Protocol, EthernetType.IPv4); } } } }
/// <summary> /// Constructor /// </summary> /// <param name="LinkLayerType"> /// A <see cref="LinkLayers"/> /// </param> /// <param name="Timeval"> /// A <see cref="PosixTimeval"/> /// </param> /// <param name="Data"> /// A <see cref="System.Byte"/> /// </param> public RawCapture(LinkLayers LinkLayerType, PosixTimeval Timeval, byte[] Data) { this.LinkLayerType = LinkLayerType; this.Timeval = Timeval; this.Data = Data; }
public RawPacket(LinkLayers LinkLayerType, Timeval Timeval, byte[] Data) { this.LinkLayerType = LinkLayerType; this.Timeval = Timeval; this.Data = Data; }
/// <summary> /// Constructor /// </summary> /// <param name="LinkLayerType"> /// A <see cref="LinkLayers"/> /// </param> /// <param name="Timeval"> /// A <see cref="PosixTimeval"/> /// </param> /// <param name="Data"> /// A <see cref="byte"/> /// </param> public RawCapture(LinkLayers LinkLayerType, PosixTimeval Timeval, byte[] Data) { this.LinkLayerType = LinkLayerType; this.Timeval = Timeval; this.Data = Data; }
public static PcapPacket GetPacket(BinaryReader readBuffer, LinkLayers LinkLayer) { PcapPacket value = new PcapPacket(); byte[] headerbuffer; byte[] payloadbuffer; long time; headerbuffer = new byte[PACKET_HEADER_LENGTH]; if (readBuffer.Read(headerbuffer, 0, PACKET_HEADER_LENGTH) == 0) { return(null); } uint timeValSecs = BitConverter.ToUInt32(headerbuffer, 0); uint timeValUsecs = BitConverter.ToUInt32(headerbuffer, 4); // number of octets stored in packet saved in file int inclLen = (int)BitConverter.ToUInt32(headerbuffer, 8); // actual length of packet uint origLen = BitConverter.ToUInt32(headerbuffer, 12); time = (long)(timeValSecs * TimeSpan.TicksPerSecond + timeValUsecs * TimeSpan.TicksPerMillisecond * 1.0e-3); payloadbuffer = new byte[inclLen]; int requestLength = inclLen; int totalReceived = 0; int retryCount = 0; while (requestLength > 0) { int resultLength = readBuffer.Read(payloadbuffer, totalReceived, requestLength); if (requestLength != resultLength) { //if it the result is length 0 and we are expecting more try a couple more times if (resultLength == 0) { if (retryCount > 2) { return(null); } retryCount++; } } requestLength -= resultLength; totalReceived += resultLength; } try { value.Packet = PacketDotNet.Packet.ParsePacket(LinkLayer, payloadbuffer); } catch (System.ArgumentException ex) { throw new Exception("Error parsing packet at " + time, ex); } return(value); }
public static void Open(this CaptureFileWriterDevice device, LinkLayers linkLayerType = LinkLayers.Ethernet) { var configuration = new DeviceConfiguration() { LinkLayerType = linkLayerType, }; device.Open(configuration); }
/// <summary> /// Constructor /// </summary> /// <param name="LinkLayerType"> /// A <see cref="LinkLayers"/> /// </param> /// <param name="Timeval"> /// A <see cref="PosixTimeval"/> /// </param> /// <param name="Data"> /// A <see cref="byte"/> /// </param> public RawCapture(LinkLayers LinkLayerType, PosixTimeval Timeval, byte[] Data, int?packetLength = null) { this.LinkLayerType = LinkLayerType; this.Timeval = Timeval; this.Data = Data; this.PacketLength = packetLength ?? Data?.Length ?? 0; }
public PcapHeader(BinaryReader readBuffer) { byte[] Buffer = new byte[20]; readBuffer.Read(Buffer, 0, 20); MajorVersion = BitConverter.ToUInt16(Buffer, 0); MinorVersion = BitConverter.ToUInt16(Buffer, 2); ThisZone = BitConverter.ToUInt32(Buffer, 4); SigFigs = BitConverter.ToUInt32(Buffer, 8); SnapLen = BitConverter.ToUInt32(Buffer, 12); LinkType = (LinkLayers)BitConverter.ToUInt32(Buffer, 16); }
public virtual AResult Handle(LinkLayers linkLayers, Packet packet, object?context, CancellationToken cancellationToken) { while (packet != null) { if (packet is T target) { return(Handle(linkLayers, target, context, cancellationToken)); } packet = packet.PayloadPacket; } return(AResult.Continue()); }
public static Packet ParsePacket(LinkLayers LinkLayer, PosixTimeval Timeval, byte[] PacketData) { LinkLayers layers = LinkLayer; if (layers != LinkLayers.Ethernet) { if (layers != LinkLayers.LinuxSLL) { throw new NotImplementedException("LinkLayer of " + LinkLayer + " is not implemented"); } return(new LinuxSLLPacket(PacketData, 0, Timeval)); } return(new EthernetPacket(PacketData, 0, Timeval)); }
public AResult Handle(LinkLayers linkLayers, Packet packet, object?context, CancellationToken cancellationToken) { IAnalyzer analyzer; lock (_locker) { if (_isDisposed) { throw new ObjectDisposedException(nameof(HotReloadAnalyzer)); } analyzer = _currentAnalyzer !; // If we are not disposed, analyzer exists. } return(analyzer.Handle(linkLayers, packet, context, cancellationToken)); }
/// <summary> Fetch the header length associated with various link-layer types.</summary> /// <param name="layerType">the link-layer code /// </param> /// <returns> the length of the header for the specified link-layer /// </returns> public static int LinkLayerLength(LinkLayers layerType) { switch (layerType) { case LinkLayers.ARCNET: return 6; case LinkLayers.SLIP: return 16; case LinkLayers.SLIP_BSD: return 24; case LinkLayers.Null: case LinkLayers.Loop: return 4; case LinkLayers.PPP: case LinkLayers.CiscoHDLC: case LinkLayers.PPPSerial: return 4; case LinkLayers.PPP_BSD: return 24; case LinkLayers.FDDI: return 21; case LinkLayers.IEEE802_11: return 22; case LinkLayers.ATM_RFC1483: return 8; case LinkLayers.Raw: return 0; case LinkLayers.ATM_CLIP: return 8; case LinkLayers.LinuxSLL: return 16; case LinkLayers.Ethernet10Mb: default: return 14; } }
/// <summary> Fetch the header length associated with various link-layer types.</summary> /// <param name="layerType">the link-layer code /// </param> /// <returns> the length of the header for the specified link-layer /// </returns> public static int LinkLayerLength(LinkLayers layerType) { switch (layerType) { case LinkLayers.ARCNET: return(6); case LinkLayers.SLIP: return(16); case LinkLayers.SLIP_BSD: return(24); case LinkLayers.Null: case LinkLayers.Loop: return(4); case LinkLayers.PPP: case LinkLayers.CiscoHDLC: case LinkLayers.PPPSerial: return(4); case LinkLayers.PPP_BSD: return(24); case LinkLayers.FDDI: return(21); case LinkLayers.IEEE802_11: return(22); case LinkLayers.ATM_RFC1483: return(8); case LinkLayers.Raw: return(0); case LinkLayers.ATM_CLIP: return(8); case LinkLayers.LinuxSLL: return(16); case LinkLayers.Ethernet10Mb: default: return(14); } }
/// <summary> Fetch the offset into the link-layer header where the protocol code /// can be found. Returns -1 if there is no embedded protocol code. /// </summary> /// <param name="layerType">the link-layer code /// </param> /// <returns> the offset in bytes /// </returns> public static int ProtocolOffset(LinkLayers layerType) { switch (layerType) { case LinkLayers.ARCNET: return(2); case LinkLayers.SLIP: return(-1); case LinkLayers.SLIP_BSD: return(-1); case LinkLayers.Null: case LinkLayers.Loop: return(0); case LinkLayers.PPP: case LinkLayers.CiscoHDLC: case LinkLayers.PPPSerial: return(2); case LinkLayers.PPP_BSD: return(5); case LinkLayers.FDDI: return(13); case LinkLayers.IEEE802_11: return(14); case LinkLayers.ATM_RFC1483: return(6); case LinkLayers.Raw: return(-1); case LinkLayers.ATM_CLIP: return(6); case LinkLayers.LinuxSLL: return(14); case LinkLayers.Ethernet10Mb: default: return(12); } }
/// <summary> /// Parse bytes into a packet /// </summary> /// <param name="linkLayer"> /// A <see cref="LinkLayers" /> /// </param> /// <param name="packetData"> /// A <see cref="System.Byte" /> /// </param> /// <returns> /// A <see cref="Packet" /> /// </returns> public static Packet ParsePacket(LinkLayers linkLayer, byte[] packetData) { Packet p; var bas = new ByteArraySegment(packetData); Log.DebugFormat("LinkLayer {0}", linkLayer); switch (linkLayer) { case LinkLayers.Ethernet: p = new EthernetPacket(bas); break; case LinkLayers.LinuxSLL: p = new LinuxSLLPacket(bas); break; case LinkLayers.Ppp: p = new PPPPacket(bas); break; case LinkLayers.Ieee80211: p = MacFrame.ParsePacket(bas); break; case LinkLayers.Ieee80211_Radio: p = new RadioPacket(bas); break; case LinkLayers.PerPacketInformation: p = new PpiPacket(bas); break; //http://sourceforge.net/p/packetnet/patches/1/ case LinkLayers.Raw: var ipVer = (packetData[0] & 0xf0) >> 4; p = (ipVer == 4)? new IPv4Packet(bas) : new IPv6Packet(bas) as Packet; break; default: throw new NotImplementedException("LinkLayer of " + linkLayer + " is not implemented"); } return(p); }
private static Boolean ParseLinkLayer(ReadOnlySpan <Byte> linkData, LinkLayers linkType, out ReadOnlySpan <Byte> networkData, out EthernetPacketType ethernetProtocol) { networkData = ArraySegment <Byte> .Empty; ethernetProtocol = EthernetPacketType.None; switch (linkType) { case LinkLayers.Ethernet: var ethernetTypePosition = EthernetFields.TypePosition; ethernetProtocol = (EthernetPacketType)((linkData[ethernetTypePosition] << 8) | linkData[ethernetTypePosition + 1]); networkData = linkData.Slice(EthernetFields.HeaderLength, linkData.Length - EthernetFields.HeaderLength); // 4B Ethernet trailer (CRC) return(true); default: return(false); } }
public static string GetProtocol(LinkLayers type, Byte[] data) { ip_address ip; ip.byte1 = data[0]; ip.byte2 = data[1]; ip.byte3 = data[2]; ip.byte4 = data[3]; ip_header ip_h; ip_h.proto = data[13]; string packet = "" + PacketDotNet.Packet.ParsePacket(type, data); switch (ip_h.proto) { case 0: return "TCP" + ip_h.proto.ToString("X2"); case 6: return "ARP" + ip_h.proto.ToString("X2"); case 221: return "UDP" + ip_h.proto.ToString("X2"); } return "Not Known" + ip_h.proto.ToString("X2"); }
/// <summary> /// Ges the flow key for the given <paramref name="frame"/>. /// </summary> /// <param name="linkLayer">The link layer of the frame.</param> /// <param name="frame">The frame bytes.</param> /// <returns>The flow kye of the frame.</returns> public FlowKey GetFlowKey(LinkLayers linkLayer, Span <byte> frame) { var packet = Packet.ParsePacket(linkLayer, frame.ToArray()); return(_packetKeyProvider.GetKey(packet)); }
/// <summary> Convert captured packet data into an object.</summary> public static Packet dataToPacket(LinkLayers linkType, byte[] bytes, Timeval tv) { EthernetPacketType ethProtocol; // retrieve the length of the headers associated with this link layer type. // this length is the offset to the header embedded in the packet. int byteOffsetToEthernetPayload = LinkLayer.LinkLayerLength(linkType); // extract the protocol code for the type of header embedded in the // link-layer of the packet int offset = LinkLayer.ProtocolOffset(linkType); if (offset == -1) { // if there is no embedded protocol, assume IpV4 ethProtocol = EthernetPacketType.IPv4; } else { ethProtocol = (EthernetPacketType)ArrayHelper.extractInteger(bytes, offset, EthernetFields_Fields.ETH_CODE_LEN); } string errorString; Packet parsedPacket = null; try { // try to recognize the ethernet type.. switch (ethProtocol) { // arp case EthernetPacketType.ARP: parsedPacket = new ARPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case EthernetPacketType.IPv6: case EthernetPacketType.IPv4: try { // ethernet level code is recognized as IP, figure out what kind.. int ipProtocol = IPProtocol.extractProtocol(byteOffsetToEthernetPayload, bytes); switch (ipProtocol) { case (int)IPProtocol.IPProtocolType.ICMP: parsedPacket = new ICMPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case (int)IPProtocol.IPProtocolType.IGMP: parsedPacket = new IGMPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case (int)IPProtocol.IPProtocolType.TCP: parsedPacket = new TCPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case (int)IPProtocol.IPProtocolType.UDP: parsedPacket = new UDPPacket(byteOffsetToEthernetPayload, bytes, tv); break; // unidentified ip.. default: parsedPacket = new IPPacket(byteOffsetToEthernetPayload, bytes, tv); break; } // check that the parsed packet is valid if (!parsedPacket.IsValid(out errorString)) { throw new PcapException(errorString); } else { return parsedPacket; } } catch { // error parsing the specific ip packet type, parse as a generic IPPacket parsedPacket = new IPPacket(byteOffsetToEthernetPayload, bytes, tv); // check that the parsed packet is valid if (!parsedPacket.IsValid(out errorString)) { throw new PcapException(errorString); } else { return parsedPacket; } } // ethernet level code not recognized, default to anonymous packet.. default: parsedPacket = new EthernetPacket(byteOffsetToEthernetPayload, bytes, tv); break; } return parsedPacket; } catch { // we know we have at least an ethernet packet, so return that return new EthernetPacket(byteOffsetToEthernetPayload, bytes, tv); } }
/// <summary> Convert captured packet data into an object.</summary> public static Packet dataToPacket(LinkLayers linkType, byte[] bytes) { return dataToPacket(linkType, bytes, new Timeval(0, 0)); }
/// <summary> Fetch the offset into the link-layer header where the protocol code /// can be found. Returns -1 if there is no embedded protocol code. /// </summary> /// <param name="layerType">the link-layer code /// </param> /// <returns> the offset in bytes /// </returns> public static int ProtocolOffset(LinkLayers layerType) { switch (layerType) { case LinkLayers.ARCNET: return 2; case LinkLayers.SLIP: return -1; case LinkLayers.SLIP_BSD: return -1; case LinkLayers.Null: case LinkLayers.Loop: return 0; case LinkLayers.PPP: case LinkLayers.CiscoHDLC: case LinkLayers.PPPSerial: return 2; case LinkLayers.PPP_BSD: return 5; case LinkLayers.FDDI: return 13; case LinkLayers.IEEE802_11: return 14; case LinkLayers.ATM_RFC1483: return 6; case LinkLayers.Raw: return -1; case LinkLayers.ATM_CLIP: return 6; case LinkLayers.LinuxSLL: return 14; case LinkLayers.Ethernet10Mb: default: return 12; } }
public static PacketData Parse(ReadOnlySpan <byte> bytes) { if (bytes.Length < MinimumLength) { throw new TzspUnpackException($"Packet length is < {MinimumLength}."); } var state = State.Version; LinkLayers linkLayer = LinkLayers.Null; for (int i = 0; i < bytes.Length; ++i) { switch (state) { case State.Version: if (Version != bytes[i]) { throw new TzspUnpackException($"Version number mismatch. {Version} != {bytes[i]}."); } state = State.Type; break; case State.Type: if (bytes[i] > 5) { throw new TzspUnpackException($"Invalid type value {bytes[i]}."); } state = State.Protocol; break; case State.Protocol: ushort protocol = (ushort)((bytes[i] << 8) | (bytes[i + 1])); i += 1; linkLayer = GetLinkLayerFromProtocol(protocol); state = State.TaggedFields; break; case State.TaggedFields: for (int j = i; j < bytes.Length;) { var type = bytes[j]; if (type == TagPadding) { j += 1; continue; } if (type == TagEnd) { i = j; break; } var tagLength = bytes[j + 1]; j += 2 + tagLength; } state = State.Packet; break; case State.Packet: return(new PacketData(linkLayer, bytes.Slice(i))); } } throw new TzspUnpackException("Invalid TZSP packet structure (missing bytes)."); }
public static Packet ParsePacket(LinkLayers LinkLayer, PosixTimeval Timeval, byte[] PacketData) { LinkLayers layers = LinkLayer; if (layers != LinkLayers.Ethernet) { if (layers != LinkLayers.LinuxSLL) { throw new NotImplementedException("LinkLayer of " + LinkLayer + " is not implemented"); } return new LinuxSLLPacket(PacketData, 0, Timeval); } return new EthernetPacket(PacketData, 0, Timeval); }