public void AddFiled(string name)
{
if (FieldIds.ContainsKey(name))
{
return;
}
uint id;
if (NetmonAPI.NmAddField(this.FrameParserConfig, name, out id) == 0)
{
FieldIds[name] = id;
NeedsRebuild = true;
}
}
public void AddProperty(string name)
{
if (PropertyIds.ContainsKey(name))
{
return;
}
uint id;
if (NetmonAPI.NmAddProperty(this.FrameParserConfig, name, out id) == 0)
{
PropertyIds[name] = id;
NeedsRebuild = true;
}
}
public void Setup()
{
NM_API_CONFIGURATION apiConfig = new NM_API_CONFIGURATION();
apiConfig.Size = (ushort)System.Runtime.InteropServices.Marshal.SizeOf(typeof(NM_API_CONFIGURATION));
uint status = NetmonAPI.NmGetApiConfiguration(ref apiConfig);
apiConfig.ThreadingMode = 0;
uint errno = NetmonAPI.NmApiInitialize(ref apiConfig);
if (errno != 0)
{
throw new Exception("Error NmApiInitalize. Errno: " + errno);
}
}
/// <summary>
/// Stops the capture and clean the capture engine handle.
/// </summary>
/// <param name="adapterIndex"></param>
/// <returns></returns>
public bool StopCapture(List <uint> adapters)
{
if (this.captureEngineHandle != IntPtr.Zero)
{
foreach (uint adapterIndex in adapters)
{
NetmonAPI.NmStopCapture(this.captureEngineHandle, adapterIndex);
}
NetmonAPI.NmCloseHandle(this.captureFileHandle);
this.captureFileHandle = IntPtr.Zero;
}
return(true);
}
public string GetPropertyString(string name)
{
if (this.Parser == null)
{
return(null);
}
if (!this.Parser.HasProperty(name))
{
return(null);
}
uint fieldId = this.Parser.Property(name);
uint ulLength = 255;
NmPropertyValueType vt;
unsafe
{
byte[] uintBuffer = new byte[255];
fixed(byte *pbuf = uintBuffer)
{
uint ret = NetmonAPI.NmGetPropertyById(Parser.Handle, fieldId, ulLength, pbuf, out ulLength, out vt, 0, null);
if (ret == 122 && vt == NmPropertyValueType.PropertyValueString)
{
uintBuffer = new byte[ulLength];
fixed(byte *pbuf2 = uintBuffer)
{
if (0 == NetmonAPI.NmGetPropertyById(Parser.Handle, fieldId, ulLength, pbuf2, out ulLength, out vt, 0, null))
{
//uintBuffer.to
return(System.Text.Encoding.Unicode.GetString(uintBuffer, 0, (int)ulLength).Trim('\0'));
}
}
}
else if (ret == 0 && vt == NmPropertyValueType.PropertyValueString)
{
return(System.Text.Encoding.Unicode.GetString(uintBuffer, 0, (int)ulLength).Trim('\0'));
}
}
}
return(null);
}
public void Stop()
{
uint errno;
errno = NetmonAPI.NmStopCapture(this.capEngine, 1);
if (errno != 0)
{
Console.Write("Error Stopping Capture");
}
NetmonAPI.NmCloseHandle(this.capEngine);
this.capEngine = IntPtr.Zero;
NetmonAPI.NmCloseHandle(this.capFile);
this.capFile = IntPtr.Zero;
}
public void Dispose()
{
if (this.Disposed == false)
{
this.Disposed = true;
if (Disposing)
{
NetmonAPI.NmCloseHandle(this.captureEngineHandle);
NetmonAPI.NmCloseHandle(this.captureFileHandle);
}
// Free the unmanaged resource ...
this.captureEngineHandle = IntPtr.Zero;
this.captureFileHandle = IntPtr.Zero;
}
}
/// <summary>
/// http://blogs.technet.com/b/netmon/archive/2009/10/07/using-nmapi-to-access-tcp-payload.aspx
/// use property: property.tcppayloadlength, fields: tcp.srcport, tcp.dataoffset.dataoffset to calculate the payload length, and the offset in the raw frame.
/// use NmGetPartialRawFrame to get the payload.
/// </summary>
private void GetTcpPayLoad()
{
unsafe
{
uint ret;
byte tcpHeaderSize; //
uint tcpSrcOffset, tcpSrcSize; // offset: bits
var tcpPayloadLength = PropertyValueDict[NetmonPropertyName.TcpPayloadLength];
int payloadlen;
bool result = Int32.TryParse(tcpPayloadLength.ToString(), out payloadlen);
// Allocate a buffer for payload data. The maximum length=1460 bytes
IntPtr buff = Marshal.AllocHGlobal(1500);
if (payloadlen > 0)
{
// Get the Data Offset, used to determine the TCP header size
ret = NetmonAPI.NmGetFieldValueNumber8Bit(_FrameInfoUnit.ParsedFrame, _FrameInfoUnit.FieldIdDict[NetmonFieldName.TcpDataSet], out tcpHeaderSize);
//Get the Offset of TCP.SrcPort which is the first field in TCP.
ret = NetmonAPI.NmGetFieldOffsetAndSize(_FrameInfoUnit.ParsedFrame, _FrameInfoUnit.FieldIdDict[NetmonFieldName.TcpSrcPort], out tcpSrcOffset, out tcpSrcSize);
// Read in the partial frame. The Offset is in bits. TCPHeaderSize is off by a factor of 4.
uint retlen;
uint offset = (uint)(tcpSrcOffset / 8 + tcpHeaderSize * 4);
ret = NetmonAPI.NmGetPartialRawFrame(_FrameInfoUnit.RawFrame, offset, (uint)payloadlen, (byte *)buff, out retlen);
// cast the intptr to the byte.
byte[] _payload = new byte[payloadlen];
Marshal.Copy(buff, _payload, 0, payloadlen);
//var str = Encoding.Default.GetString(_payload);
frameUnit.fieldUnit.PayLoad = _payload;
/*
* if (protocolname == "TCP")
* {
* frameUnit.fieldUnit.tcpPayLoad = _payload;
* }
* else
* {
* frameUnit.fieldUnit.httpPayLoad = _payload;
* // Console.WriteLine("http payload:");
* //Console.WriteLine(str);
* }*/
}
Marshal.Release(buff);
}
}
/// <summary>
/// Start the NMCapture engine to collect traffic data
/// </summary>
/// <param name="adapterIndex">index of the target adapter.</param>
/// <returns></returns>
public bool StartCapture(List <uint> adapters, string captureFile)
{
uint errno;
// Create a caputre file for storing trace
errno = NetmonAPI.NmCreateCaptureFile(
captureFile,
CaptureFileSize,
NmCaptureFileFlag.WrapAround,
out this.captureFileHandle,
out this.captureFileSize);
if (errno != 0)
{
throw new Exception(FormatErrMsg("NmCreateCaptureFile() failed", errno));
}
return(StartCapture(adapters));
}
/// <summary>
/// Start the NMCapture engine to collect traffic data. The trace file handle must be provided.
/// </summary>
/// <param name="adapterIndex">index of the target adapter.</param>
/// <returns></returns>
public bool StartCapture(List <uint> adapters)
{
uint errno;
try
{
foreach (uint adapterIndex in adapters)
{
//Configure Adapter for capturing
errno = NetmonAPI.NmConfigAdapter(
this.captureEngineHandle,
adapterIndex,
CaptureCb,
this.captureFileHandle,
NmCaptureCallbackExitMode.DiscardRemainFrames);
if (errno != 0)
{
throw new Exception(FormatErrMsg("NmConfigAdapter() failed", errno));
}
errno = NetmonAPI.NmStartCapture(this.captureEngineHandle, adapterIndex, NmCaptureMode.LocalOnly);
if (errno != 0)
{
throw new Exception(FormatErrMsg("NmStartCapture() failed", errno));
}
}
return(true);
}
catch (Exception ex)
{
NetmonAPI.NmCloseHandle(this.captureEngineHandle);
NetmonAPI.NmCloseHandle(this.captureFileHandle);
this.captureEngineHandle = IntPtr.Zero;
this.captureFileHandle = IntPtr.Zero;
ErrorMsg += ex.ToString();
return(false);
}
}
/// <summary>
/// get all properties value by id
/// </summary>
private void GetPropertyValue()
{
foreach (KeyValuePair <string, uint> pair in _FrameInfoUnit.PropertyIdDict)
{
unsafe
{
uint ret1;
IntPtr buff = Marshal.AllocHGlobal(2000);
uint returnLen = 0;
NmPropertyValueType value;
string property = pair.Key;
uint id = pair.Value;
ret1 = NetmonAPI.NmGetPropertyById(_FrameInfoUnit.FrameParser, id, 2000, (byte *)buff, out returnLen, out value, 0, new CNmPropertyStorageKey[1]);
//Console.WriteLine(value);
if (value == NmPropertyValueType.PropertyValueSignedNumber)
{
PropertyValueDict.Add(property, Marshal.ReadInt64(buff));
}
if (value == NmPropertyValueType.PropertyValueString)
{
PropertyValueDict.Add(property, Marshal.PtrToStringAuto(buff));
}
if (value == NmPropertyValueType.PropertyValueUnsignedNumber)
{
PropertyValueDict.Add(property, Marshal.ReadInt64(buff));
}
if (value == NmPropertyValueType.PropertyValueByteBlob)//to do here
{
}
if (value == NmPropertyValueType.PropertyValueNone) // no such data in the frame
{
PropertyValueDict.Add(property, NoneTypeMatched);
}
Marshal.Release(buff);
}
}
}
private String GetIPAddr(uint fieldId)
{
IpAddress reAddr = new IpAddress()
{
ad1 = 0,
ad2 = 0,
ad3 = 0,
ad4 = 0
};
unsafe
{
IntPtr add = Marshal.AllocHGlobal(4);
uint relen;
uint ret1;
ret1 = NetmonAPI.NmGetFieldInBuffer(_FrameInfoUnit.ParsedFrame, fieldId, (uint)4, (byte *)add, out relen);
reAddr = (IpAddress)Marshal.PtrToStructure(add, typeof(IpAddress));
Marshal.Release(add);
}
return(IpAddrToString(reAddr));
}
private uint ConfigureCaptureEngine(ushort threadingModel)
{
uint errno;
NM_API_CONFIGURATION apiConfig = new NM_API_CONFIGURATION();
apiConfig.Size = (ushort)Marshal.SizeOf(apiConfig);
errno = NetmonAPI.NmGetApiConfiguration(ref apiConfig);
if (errno != 0)
{
throw new Exception(FormatErrMsg("Unable to retrieve configuration.", errno));
}
apiConfig.ThreadingMode = threadingModel; //threading model:
errno = NetmonAPI.NmApiInitialize(ref apiConfig);
if (errno != 0)
{
throw new Exception(FormatErrMsg("Unable to initialize configuration.", errno));
}
// Open a Capture Engine.
return(NetmonAPI.NmOpenCaptureEngine(out this.captureEngineHandle));
}
public byte[] GetFieldBuffer(string name)
{
if (this.Parser == null)
{
return(null);
}
if (!this.Parser.HasField(name))
{
return(null);
}
uint offset, bsize;
uint fieldId = this.Parser.Field(name);
if (0 == NetmonAPI.NmGetFieldOffsetAndSize(ParsedFrame, fieldId, out offset, out bsize))
{
if (bsize > 0)
{
uint size = bsize / 8;
byte[] bytes = new byte[bsize / 8];
UInt32 uRet;
unsafe
{
fixed(byte *ptr = bytes)
{
if (0 == NetmonAPI.NmGetFieldInBuffer(ParsedFrame, fieldId, size, ptr, out uRet))
{
return(bytes);
}
}
}
}
}
return(null);
}
public IntPtr CreateFrameParser()
{
IntPtr FrameParser = IntPtr.Zero;
UInt32 ret = 0;
IntPtr pCallerContext = IntPtr.Zero;
IntPtr nplParser = IntPtr.Zero;
// Use NULL to load default NPL set.
ret = NetmonAPI.NmLoadNplParser(null, NmNplParserLoadingOption.NmAppendRegisteredNplSets, pParserCallback, pCallerContext, out nplParser);
if (ret != ERROR_SUCCESS)
{
Console.WriteLine("Failed to load NPL Parser");
return(FrameParser);
}
IntPtr frameParserConfig = IntPtr.Zero;
ret = NetmonAPI.NmCreateFrameParserConfiguration(nplParser, pParserCallback, pCallerContext, out frameParserConfig);
if (ret != ERROR_SUCCESS)
{
Console.WriteLine("Failed to load frame parser configuration.");
NetmonAPI.NmCloseHandle(nplParser);//release the handler
return(FrameParser);
}
else //now start to add filter
{
ret = NetmonAPI.NmConfigReassembly(frameParserConfig, NmReassemblyConfigOption.None, true);
if (ret != ERROR_SUCCESS)
{
Console.WriteLine("Failed to config reassembly.");
return(FrameParser);
}
String pfilterString = _filterString;
Console.WriteLine(pfilterString);
ret = NetmonAPI.NmAddFilter(frameParserConfig, pfilterString, out ulfilterId);
if (ret != ERROR_SUCCESS)
{
Console.WriteLine("error to create filter,info:" + ret.ToString());
NetmonAPI.NmCloseHandle(frameParserConfig);
NetmonAPI.NmCloseHandle(nplParser);
return(FrameParser);
}
//add the properties
foreach (String propertyString in _properties)
{
Console.WriteLine("add property:" + propertyString);
UInt32 ulpropertyId;
ret = NetmonAPI.NmAddProperty(frameParserConfig, propertyString, out ulpropertyId);
if (ret == ERROR_SUCCESS)
{
PropertyIdDict.Add(propertyString, ulpropertyId);
}
else
{
Console.WriteLine("error when add property:" + propertyString);
}
}
//add fields
foreach (String filedString in _fields)
{
Console.WriteLine("add field:" + filedString);
UInt32 ulfieldId;
ret = NetmonAPI.NmAddField(frameParserConfig, filedString, out ulfieldId);
if (ret == ERROR_SUCCESS)
{
FieldIdDict.Add(filedString, ulfieldId);
}
else
{
Console.WriteLine("error when add field:" + filedString);
}
}
ret = NetmonAPI.NmCreateFrameParser(frameParserConfig, out FrameParser, NmFrameParserOptimizeOption.ParserOptimizeNone);
if (ret != ERROR_SUCCESS)
{
Console.WriteLine("failed to create frame parser, info:" + ret.ToString());
return(FrameParser);
}
}
return(FrameParser);
}
private void Run()
{
IntPtr rawFrame;
UInt32 ret;
int count = 0;
if (ERROR_SUCCESS == NetmonAPI.NmOpenCaptureFile(_capfile, out rawFrame))
{
UInt32 frameCount = 0;
Filtering _nmfilter = new Filtering(_filterString, _Outproperties, _Outfields);
myFrameParser = _nmfilter.CreateFrameParser();
ret = NetmonAPI.NmGetFrameCount(rawFrame, out frameCount);//get the count of the frames
// Console.WriteLine("framecount:" + frameCount);
for (UInt32 framenumber = 0; framenumber < frameCount; framenumber++)//for each frame, apply the filter
{
// Console.WriteLine("framenumber:" + framenumber);
_currentframeNumber = (int)framenumber + 1;
IntPtr OneRawframe;
ret = NetmonAPI.NmGetFrame(rawFrame, framenumber, out OneRawframe); //
if (ret == ERROR_SUCCESS)
{
IntPtr parsedFrame, insFrame;
ret = NetmonAPI.NmParseFrame(myFrameParser, OneRawframe, framenumber, NmFrameParsingOption.None, out parsedFrame, out insFrame);
if (ret == ERROR_SUCCESS)
{
//Console.WriteLine("start to");
bool Passed = false;
ret = NetmonAPI.NmEvaluateFilter(parsedFrame, _nmfilter.ulfilterId, out Passed);
if (ret == ERROR_SUCCESS && Passed == true)
{
//construct
_getframeUnit.FieldIdDict = _nmfilter.FieldIdDict;
_getframeUnit.PropertyIdDict = _nmfilter.PropertyIdDict;
_getframeUnit.ParsedFrame = parsedFrame;
_getframeUnit.RawFrame = OneRawframe;
_getframeUnit.FrameParser = myFrameParser;
_getframeUnit.FrameNumber = _currentframeNumber;
_getframeUnit.Pids = _pids.ToList();
//Console.WriteLine(_currentframeNumber);
_getFrameValue = new GetFrameValue(_getframeUnit, _currentframeNumber);
if (_getFrameValue.frameUnit.propertyUnit.tcpPayloadLength > 0)
{
AllGetFrames.Add(_getFrameValue.frameUnit);
count++;
}
}
NetmonAPI.NmCloseHandle(parsedFrame);
NetmonAPI.NmCloseHandle(insFrame);
}
else
{
Console.WriteLine("error parsing frame:" + ret);
}
NetmonAPI.NmCloseHandle(OneRawframe);//release the cuurent parsed frame
}
else
{
Console.WriteLine("error when get frame:" + ret.ToString());
return;
}
}
}
else
{
Console.WriteLine("open capture file failed!");
}
NetmonAPI.NmCloseHandle(rawFrame);
//NetmonAPI.NmApiClose();
}
public static string GetFramePayload(IntPtr RawFrame, uint TCPSrcOffset, uint TCPHeaderSize, uint paylen)
{
#region comm
//string tempstring = string.Empty;
//uint errno = 0;
//byte[] result = null;
//NM_NPL_PROPERTY_INFO propinfo = new NM_NPL_PROPERTY_INFO();
//propinfo.Size = (ushort)System.Runtime.InteropServices.Marshal.SizeOf(propinfo);
//errno = NetmonAPI.NmGetPropertyInfo(mFrameParser, mTCPPayLoadLengthID, ref propinfo);
//if (errno != 0)
//{
// Console.WriteLine("Error NmGetPropertyInfo Frame # error : " + errno.ToString());
//}
//byte[] val = new byte[propinfo.ValueSize];
//uint retlen;
//NmPropertyValueType vtype;
//unsafe
//{
// fixed (byte* pstr = val)
// {
// errno = NetmonAPI.NmGetPropertyById(mFrameParser, mTCPPayLoadLengthID, propinfo.ValueSize, pstr, out retlen, out vtype, 0, null);
// }
//}
//if (errno != 0)
//{
// Console.WriteLine("Error NmGetPropertyById Frame" + errno.ToString());
//}
//uint paylen = (uint)val[0] + ((uint)val[1] << 8) + ((uint)val[2] << 16) + ((uint)val[3] << 24);
//// Get the Data Offset, used to determine the TCP header size
//byte TCPHeaderSize;
//errno = NetmonAPI.NmGetFieldValueNumber8Bit(hParsedFrame, mTCPDataOffsetID, out TCPHeaderSize);
//if (errno != 0)
//{
// Console.WriteLine("Error NmGetFieldValueNumber8Bit Frame #error : " + errno.ToString());
//}
//// Get the Offset of TCP.SrcPort which is the first field in TCP.
//uint TCPSrcOffset;
//uint TCPSrcSize;
//errno = NetmonAPI.NmGetFieldOffsetAndSize(hParsedFrame, mTCPSrcPortID, out TCPSrcOffset, out TCPSrcSize);
//if (errno != 0)
//{
// Console.WriteLine("Error NmGetFieldValueNumber8Bit Frame # error : " + errno.ToString());
//}
#endregion
uint retlen;
uint errno = 0;
byte[] result = null;
string tempstring = string.Empty;
if (paylen > 0)
{
result = new byte[paylen];
unsafe
{
fixed(byte *pstr = result)
{
errno = NetmonAPI.NmGetPartialRawFrame(RawFrame, (uint)(TCPSrcOffset / 8 + TCPHeaderSize * 4), paylen, pstr, out retlen);
// errno = NetmonAPI.NmGetPartialRawFrame(RawFrame, (uint)(TCPSrcOffset / 8 ), paylen, pstr, out retlen);
}
}
if (errno != 0)
{
Console.WriteLine("Error NmGetFieldValueNumber8Bit Frame #error : " + errno.ToString());
result = null;
}
else
{
tempstring = Encoding.UTF8.GetString(result, 0, result.Length);
}
}
else
{
retlen = 0;
}
return(tempstring);
}
/// <summary>
/// Callback function for capture.
/// </summary>
/// <param name="hCapEngine"></param>
/// <param name="adapterIndex"></param>
/// <param name="callerContext"></param>
/// <param name="hRawFrame"></param>
private void CaptureCallBack(IntPtr hCapEngine, uint adapterIndex, IntPtr callerContext, IntPtr hRawFrame)
{
if (callerContext != IntPtr.Zero)
{
uint errno;
unsafe
{
uint frameLen = 0;
errno = NetmonAPI.NmGetRawFrameLength(hRawFrame, out frameLen);
if (errno != 0)
{
return;
}
byte[] frameBuf = new byte[CapturedFrameSize];
fixed(byte *pBuf = frameBuf)
{
if (frameLen >= CapturedFrameSize)
{
NM_TIME pTime = new NM_TIME();
//Get the TimeStamp of the frame for building the new shortened frame
errno = NetmonAPI.NmGetFrameTimeStampEx(hRawFrame, ref pTime);
if (errno != 0)
{
return;
}
uint captureSize = 0;
//use NmGetPartiaRawlFrame() to get the wanted length of the raw frame,
errno = NetmonAPI.NmGetPartialRawFrame(
hRawFrame,
0, //offset
CapturedFrameSize,
pBuf,
out captureSize
);
if (errno != 0)
{
return;
}
IntPtr hPartialRawFrame;
errno = NetmonAPI.NmBuildRawFrameFromBufferEx(
(IntPtr)pBuf,
CapturedFrameSize,
0, //media type, optional
ref pTime,
out hPartialRawFrame
);
if (errno != 0)
{
return;
}
NetmonAPI.NmAddFrame(callerContext, hPartialRawFrame);
}
else
{
NetmonAPI.NmAddFrame(callerContext, hRawFrame);
}
}
}
}
}
public static void Main(string[] args)
{
// Load API
try
{
initialized = Program.InitializeNMAPI();
}
catch (BadImageFormatException)
{
Console.WriteLine("There was an error loading the NMAPI.\n\nPlease ensure you have the correct version installed for your platform.");
}
catch (DllNotFoundException)
{
Console.WriteLine("There was an error loading the NMAPI DLL.\n\nPlease ensure you have Network Monitor 3.3 installed or try rebooting.");
}
CommandLineArguments commandReader = new CommandLineArguments();
if (commandReader.ParseCommandLineArguments(args))
{
if (commandReader.IsNoArguments)
{
Console.WriteLine(CommandLineArguments.GetUsage("ExpertExample"));
}
else if (commandReader.IsRequestingHelp)
{
Console.WriteLine(CommandLineArguments.GetUsage("ExpertExample"));
}
else if (initialized)
{
Console.WriteLine("Running Test Application with Arguments:");
Console.WriteLine("\tCapture File: " + commandReader.CaptureFileName);
Console.WriteLine("\tDisplay Filter: " + commandReader.DisplayFilter);
Console.WriteLine("\tConversation Filter: " + commandReader.ConversationFilter);
Console.WriteLine("\tSelected Frames: " + commandReader.SelectedFramesString);
Console.WriteLine();
bool loadedparserengine = false;
// Configure Parser Engine
uint errno;
IntPtr hNplParser = IntPtr.Zero;
IntPtr hFrameParserConfig = IntPtr.Zero;
uint conversationFilterId = 0;
uint displayFilterId = 0;
IntPtr hFrameParser = IntPtr.Zero;
// Only load the parsing engine if we have to
if (!string.IsNullOrEmpty(commandReader.ConversationFilter) || !string.IsNullOrEmpty(commandReader.DisplayFilter))
{
Console.WriteLine("Loading Parser Engine...");
// Passing in null for the path will use the default configuration as specified in the Netmon UI
errno = NetmonAPI.NmLoadNplParser(null, NmNplParserLoadingOption.NmAppendRegisteredNplSets, pErrorCallBack, IntPtr.Zero, out hNplParser);
if (errno == ERROR_SUCCESS)
{
// Configure Frame Parser
errno = NetmonAPI.NmCreateFrameParserConfiguration(hNplParser, pErrorCallBack, IntPtr.Zero, out hFrameParserConfig);
if (errno == ERROR_SUCCESS)
{
// Enable Conversations
errno = NetmonAPI.NmConfigConversation(hFrameParserConfig, NmConversationConfigOption.None, true);
if (errno == ERROR_SUCCESS)
{
// Add Filters
if (!string.IsNullOrEmpty(commandReader.ConversationFilter))
{
Console.WriteLine("Adding Conversation Filter...");
errno = NetmonAPI.NmAddFilter(hFrameParserConfig, commandReader.ConversationFilter, out conversationFilterId);
}
if (errno == ERROR_SUCCESS)
{
if (!string.IsNullOrEmpty(commandReader.DisplayFilter))
{
Console.WriteLine("Adding Display Filter...");
errno = NetmonAPI.NmAddFilter(hFrameParserConfig, commandReader.DisplayFilter, out displayFilterId);
}
if (errno == ERROR_SUCCESS)
{
errno = NetmonAPI.NmCreateFrameParser(hFrameParserConfig, out hFrameParser, NmFrameParserOptimizeOption.ParserOptimizeNone);
if (errno == ERROR_SUCCESS)
{
Console.WriteLine("Parser Engine Loaded Successfully!");
Console.WriteLine();
loadedparserengine = true;
}
else
{
Console.WriteLine("Parser Creation Error Number = " + errno);
}
}
else
{
Console.WriteLine("Display Filter Creation Error Number = " + errno);
}
}
else
{
Console.WriteLine("Conversation Filter Creation Error Number = " + errno);
}
}
else
{
Console.WriteLine("Conversation Error Number = " + errno);
}
if (!loadedparserengine)
{
NetmonAPI.NmCloseHandle(hFrameParserConfig);
}
}
else
{
Console.WriteLine("Parser Configuration Error Number = " + errno);
}
if (!loadedparserengine)
{
NetmonAPI.NmCloseHandle(hNplParser);
}
}
else
{
Console.WriteLine("Error Loading NMAPI Parsing Engine Error Number = " + errno);
}
}
// Wait for confirmation
Console.WriteLine("Press any key to continue");
Console.ReadKey(true);
// Let's open the capture file
// Open Capture File
IntPtr captureFile = IntPtr.Zero;
errno = NetmonAPI.NmOpenCaptureFile(commandReader.CaptureFileName, out captureFile);
if (errno == ERROR_SUCCESS)
{
// Retrieve the number of frames in this capture file
uint frameCount;
errno = NetmonAPI.NmGetFrameCount(captureFile, out frameCount);
if (errno == ERROR_SUCCESS)
{
// Loop through capture file
for (uint ulFrameNumber = 0; ulFrameNumber < frameCount; ulFrameNumber++)
{
// Get the Raw Frame data
IntPtr hRawFrame = IntPtr.Zero;
errno = NetmonAPI.NmGetFrame(captureFile, ulFrameNumber, out hRawFrame);
if (errno != ERROR_SUCCESS)
{
Console.WriteLine("Error Retrieving Frame #" + (ulFrameNumber + 1) + " from file");
continue;
}
// Need to parse once to get similar results to the UI
if (loadedparserengine)
{
// Parse Frame
IntPtr phParsedFrame;
IntPtr phInsertedRawFrame;
errno = NetmonAPI.NmParseFrame(hFrameParser, hRawFrame, ulFrameNumber, NmFrameParsingOption.FieldDisplayStringRequired | NmFrameParsingOption.FieldFullNameRequired | NmFrameParsingOption.DataTypeNameRequired, out phParsedFrame, out phInsertedRawFrame);
if (errno == ERROR_SUCCESS)
{
// Check against Filters
if (!string.IsNullOrEmpty(commandReader.ConversationFilter))
{
bool passed;
errno = NetmonAPI.NmEvaluateFilter(phParsedFrame, conversationFilterId, out passed);
if (errno == ERROR_SUCCESS)
{
if (passed)
{
if (!string.IsNullOrEmpty(commandReader.DisplayFilter))
{
bool passed2;
errno = NetmonAPI.NmEvaluateFilter(phParsedFrame, displayFilterId, out passed2);
if (errno == ERROR_SUCCESS)
{
if (passed2)
{
PrintParsedFrameInformation(phParsedFrame, ulFrameNumber, commandReader);
}
}
}
else
{
PrintParsedFrameInformation(phParsedFrame, ulFrameNumber, commandReader);
}
}
}
}
else if (!string.IsNullOrEmpty(commandReader.DisplayFilter))
{
bool passed;
errno = NetmonAPI.NmEvaluateFilter(phParsedFrame, displayFilterId, out passed);
if (errno == ERROR_SUCCESS)
{
if (passed)
{
PrintParsedFrameInformation(phParsedFrame, ulFrameNumber, commandReader);
}
}
}
else
{
PrintParsedFrameInformation(phParsedFrame, ulFrameNumber, commandReader);
}
NetmonAPI.NmCloseHandle(phInsertedRawFrame);
NetmonAPI.NmCloseHandle(phParsedFrame);
}
else
{
Console.WriteLine("Error Parsing Frame #" + (ulFrameNumber + 1) + " from file");
}
}
else
{
// Just print what I just deleted...
uint pulLength;
errno = NetmonAPI.NmGetRawFrameLength(hRawFrame, out pulLength);
if (errno == ERROR_SUCCESS)
{
if (commandReader.IsSelected(ulFrameNumber))
{
Console.WriteLine("Frame #" + (ulFrameNumber + 1) + " (Selected) Frame Length(bytes): " + pulLength);
}
else
{
Console.WriteLine("Frame #" + (ulFrameNumber + 1) + " Frame Length(bytes): " + pulLength);
}
}
else
{
Console.WriteLine("Error Getting Frame Length for Frame #" + (ulFrameNumber + 1));
}
}
NetmonAPI.NmCloseHandle(hRawFrame);
}
}
else
{
Console.WriteLine("Error Retrieving Capture File Length");
}
// Close Capture File to Cleanup
NetmonAPI.NmCloseHandle(captureFile);
}
else
{
Console.WriteLine("Could not open capture file: " + commandReader.CaptureFileName);
Console.WriteLine(CommandLineArguments.GetUsage("ExpertExample"));
}
if (loadedparserengine)
{
NetmonAPI.NmCloseHandle(hFrameParser);
NetmonAPI.NmCloseHandle(hFrameParserConfig);
NetmonAPI.NmCloseHandle(hNplParser);
}
}
}
else
{
Console.WriteLine(commandReader.LastErrorMessage);
Console.WriteLine(CommandLineArguments.GetUsage("ExpertExample"));
}
// Pause so we can see the results when launched from Network Monitor
Console.WriteLine();
Console.WriteLine("Press any key to continue");
Console.ReadKey();
if (initialized)
{
CloseNMAPI();
}
}
/// <summary>
/// Prints out a field's value if the display string couldn't be found.
/// </summary>
/// <param name="hParsedFrame">Parsed Frame</param>
/// <param name="fieldId">Field Number to Display</param>
private static void PrintParsedFrameFieldValue(IntPtr hParsedFrame, uint fieldId)
{
NmParsedFieldInfo parsedField = new NmParsedFieldInfo();
parsedField.Size = (ushort)System.Runtime.InteropServices.Marshal.SizeOf(parsedField);
uint errno = NetmonAPI.NmGetParsedFieldInfo(hParsedFrame, fieldId, parsedField.Size, ref parsedField);
if (errno == ERROR_SUCCESS)
{
if (parsedField.NplDataTypeNameLength != 0)
{
char[] name = new char[BUFFER_SIZE];
unsafe
{
fixed(char *pstr = name)
{
errno = NetmonAPI.NmGetFieldName(hParsedFrame, fieldId, NmParsedFieldNames.DataTypeName, BUFFER_SIZE, pstr);
}
}
Console.Write("(" + new string(name).Replace("\0", string.Empty) + ") ");
}
if (parsedField.FieldBitLength > 0)
{
byte number8Bit = 0;
ushort number16Bit = 0;
uint number32Bit = 0;
ulong number64Bit = 0;
ulong rl = parsedField.ValueBufferLength;
switch (parsedField.ValueType)
{
case FieldType.VT_UI1:
errno = NetmonAPI.NmGetFieldValueNumber8Bit(hParsedFrame, fieldId, out number8Bit);
if (errno == ERROR_SUCCESS)
{
Console.WriteLine(number8Bit);
}
else
{
Console.WriteLine("Error " + errno);
}
break;
case FieldType.VT_I1:
errno = NetmonAPI.NmGetFieldValueNumber8Bit(hParsedFrame, fieldId, out number8Bit);
if (errno == ERROR_SUCCESS)
{
Console.WriteLine((sbyte)number8Bit);
}
else
{
Console.WriteLine("Error " + errno);
}
break;
case FieldType.VT_UI2:
errno = NetmonAPI.NmGetFieldValueNumber16Bit(hParsedFrame, fieldId, out number16Bit);
if (errno == ERROR_SUCCESS)
{
Console.WriteLine(number16Bit);
}
else
{
Console.WriteLine("Error " + errno);
}
break;
case FieldType.VT_I2:
errno = NetmonAPI.NmGetFieldValueNumber16Bit(hParsedFrame, fieldId, out number16Bit);
if (errno == ERROR_SUCCESS)
{
Console.WriteLine((short)number16Bit);
}
else
{
Console.WriteLine("Error " + errno);
}
break;
case FieldType.VT_UI4:
errno = NetmonAPI.NmGetFieldValueNumber32Bit(hParsedFrame, fieldId, out number32Bit);
if (errno == ERROR_SUCCESS)
{
Console.WriteLine(number32Bit);
}
else
{
Console.WriteLine("Error " + errno);
}
break;
case FieldType.VT_I4:
errno = NetmonAPI.NmGetFieldValueNumber32Bit(hParsedFrame, fieldId, out number32Bit);
if (errno == ERROR_SUCCESS)
{
Console.WriteLine((int)number32Bit);
}
else
{
Console.WriteLine("Error " + errno);
}
break;
case FieldType.VT_UI8:
errno = NetmonAPI.NmGetFieldValueNumber64Bit(hParsedFrame, fieldId, out number64Bit);
if (errno == ERROR_SUCCESS)
{
Console.WriteLine(number64Bit);
}
else
{
Console.WriteLine("Error " + errno);
}
break;
case FieldType.VT_I8:
errno = NetmonAPI.NmGetFieldValueNumber64Bit(hParsedFrame, fieldId, out number64Bit);
if (errno == ERROR_SUCCESS)
{
Console.WriteLine((long)number64Bit);
}
else
{
Console.WriteLine("Error " + errno);
}
break;
case FieldType.VT_ARRAY | FieldType.VT_UI1:
byte[] byteArray = new byte[BUFFER_SIZE];
unsafe
{
fixed(byte *barr = byteArray)
{
errno = NetmonAPI.NmGetFieldValueByteArray(hParsedFrame, fieldId, BUFFER_SIZE, barr, out number32Bit);
}
}
if (errno == ERROR_SUCCESS)
{
for (uint i = 0; i < number32Bit; i++)
{
Console.Write(byteArray[i].ToString("X2") + " ");
}
if ((parsedField.FieldBitLength >> 3) > number32Bit)
{
Console.Write(" ... " + ((parsedField.FieldBitLength >> 3) - number32Bit) + " more bytes not displayed");
}
Console.WriteLine();
}
else if (errno == ERROR_RESOURCE_NOT_AVAILABLE)
{
Console.WriteLine("The field is a container");
}
break;
case FieldType.VT_LPWSTR:
char[] name = new char[BUFFER_SIZE];
unsafe
{
fixed(char *pstr = name)
{
errno = NetmonAPI.NmGetFieldValueString(hParsedFrame, fieldId, BUFFER_SIZE, pstr);
}
}
if (errno == ERROR_SUCCESS)
{
Console.WriteLine(new string(name).Replace("\0", string.Empty));
}
else
{
Console.WriteLine("String is too long to display");
}
break;
case FieldType.VT_LPSTR:
Console.WriteLine("Should not occur");
break;
case FieldType.VT_EMPTY:
Console.WriteLine("Struct or Array types expect description");
break;
default:
Console.WriteLine("Unknown Type " + parsedField.ValueType);
break;
}
}
else
{
Console.WriteLine("Empty");
}
}
else
{
Console.WriteLine("Could Not Retrieve Parsed Field Info " + errno);
}
}
/// <summary>
/// Used to ask and then print out extended information about a specific frame
/// </summary>
/// <param name="hParsedFrame">Parsed Frame</param>
/// <param name="frameNumber">Frame Number to Display</param>
/// <param name="command">Command Line Parameters</param>
private static void PrintParsedFrameInformation(IntPtr hParsedFrame, uint frameNumber, CommandLineArguments command)
{
uint errno;
uint ulFieldCount;
string ds = "Frame #" + (frameNumber + 1);
// Is Selected
if (command.IsSelected(frameNumber))
{
ds += " (Selected)";
}
// Get Frame Timestamp
ulong timestamp;
errno = NetmonAPI.NmGetFrameTimeStamp(hParsedFrame, out timestamp);
if (errno == ERROR_SUCCESS)
{
ds += " " + DateTime.FromFileTimeUtc((long)timestamp).ToString();
}
else
{
ds += " Timestamp Couldn't be Retrieved.";
}
Console.WriteLine(ds);
Console.Write("Print Frame Info? (y/n) ");
char key = Console.ReadKey().KeyChar;
Console.WriteLine();
if (key == 'y' || key == 'Y')
{
errno = NetmonAPI.NmGetFieldCount(hParsedFrame, out ulFieldCount);
for (uint fid = 0; fid < ulFieldCount; fid++)
{
// Get Field Name
char[] name = new char[BUFFER_SIZE * 2];
unsafe
{
fixed(char *pstr = name)
{
errno = NetmonAPI.NmGetFieldName(hParsedFrame, fid, NmParsedFieldNames.NamePath, BUFFER_SIZE * 2, pstr);
}
}
if (errno == ERROR_SUCCESS)
{
Console.Write(new string(name).Replace("\0", string.Empty) + ": ");
}
else
{
Console.WriteLine("Error Retrieving Field, NmGetFieldName Returned: " + errno);
continue;
}
// Get Field Value as displayed in Netmon UI
name = new char[BUFFER_SIZE];
unsafe
{
fixed(char *pstr = name)
{
errno = NetmonAPI.NmGetFieldName(hParsedFrame, fid, NmParsedFieldNames.FieldDisplayString, BUFFER_SIZE, pstr);
}
}
if (errno == ERROR_SUCCESS)
{
Console.WriteLine(new string(name).Replace("\0", string.Empty));
}
else if (errno == ERROR_NOT_FOUND)
{
Program.PrintParsedFrameFieldValue(hParsedFrame, fid);
}
else
{
Console.WriteLine("Error Retrieving Value, NmGetFieldName Returned: " + errno);
continue;
}
}
Console.WriteLine();
}
}
public void Test()
{
bool isElevated;
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
isElevated = principal.IsInRole(WindowsBuiltInRole.Administrator);
Console.WriteLine($"Elevated permissions: {isElevated}");
capHandler = new CaptureCallbackDelegate(CapHandlerCallback);
uint ret;
IntPtr myCapEng;
ret = NetmonAPI.NmOpenCaptureEngine(out myCapEng);
if (ret != 0)
{
Console.WriteLine("Error {0}\n", ret);
}
else
{
uint AdptCount;
ret = NetmonAPI.NmGetAdapterCount(myCapEng, out AdptCount);
if (ret != 0)
{
NetmonAPI.NmCloseHandle(myCapEng);
Console.WriteLine("Error {0}\n", ret);
}
else
{
// Creates a capture file which will store the last 10MB of traffic captured
ret = NetmonAPI.NmCreateCaptureFile(this.filename, 10000000, NmCaptureFileFlag.WrapAround, out this.capFile, out this.size);
if (ret != 0)
{
Console.Write("Error Creating File");
}
Console.WriteLine($"Adapters avalable: {AdptCount}");
for (uint i = 0; i < AdptCount; i++)
{
ret = NetmonAPI.NmConfigAdapter(myCapEng, i, capHandler, IntPtr.Zero, NmCaptureCallbackExitMode.ReturnRemainFrames);
if (ret != 0)
{
Console.WriteLine("Could not config {0}, error {1}", i, ret);
}
else
{
Console.WriteLine("Configured Adpt {0}", i);
}
ret = NetmonAPI.NmStartCapture(myCapEng, i, NmCaptureMode.Promiscuous);
if (ret != 0)
{
Console.WriteLine("Could not Start Capture on {0}, error {1}", i, ret);
}
else
{
Console.WriteLine("Started Adpt {0}", i);
}
}
System.Threading.Thread.Sleep(5000);
for (uint i = 0; i < AdptCount; i++)
{
ret = NetmonAPI.NmConfigAdapter(myCapEng, i, capHandler, IntPtr.Zero, NmCaptureCallbackExitMode.ReturnRemainFrames);
if (ret != 0)
{
Console.WriteLine("Could not config {0}, error {1}", i, ret);
}
else
{
Console.WriteLine("Configured Adpt {0}", i);
}
Console.WriteLine("Starting Adpt {0} again", i);
ret = NetmonAPI.NmStartCapture(myCapEng, i, NmCaptureMode.Promiscuous);
if (ret != 0)
{
Console.WriteLine("Could not Start Capture again on {0}, error {1}", i, ret);
}
else
{
Console.WriteLine("Started Adpt {0} again", i);
}
}
for (uint i = 0; i < AdptCount; i++)
{
ret = NetmonAPI.NmStopCapture(myCapEng, i);
if (ret != 0)
{
Console.WriteLine("Could not Stop Capture on {0}, error {1}", i, ret);
}
else
{
Console.WriteLine("Stopped Adpt {0}", i);
}
}
}
NetmonAPI.NmCloseHandle(myCapEng);
}
}
public NetmonCaptureFile(string file)
{
NetmonAPI.NmOpenCaptureFile(file, out _fileHandle);
NetmonAPI.NmGetFrameCount(this.Handle, out frameCount);
}
static void Main(string[] args)
{
// / / Initialize NetworkMonitor API
NM_API_CONFIGURATION apiConfig = new NM_API_CONFIGURATION();
apiConfig.Size = (ushort)(System.Runtime.InteropServices.Marshal.SizeOf(apiConfig));
NetmonAPI.NmGetApiConfiguration(ref apiConfig);
apiConfig.ThreadingMode = 0;
NetmonAPI.NmApiInitialize(ref apiConfig);
IntPtr nplPointer = IntPtr.Zero;
NetmonAPI.NmLoadNplParser(null, NmNplParserLoadingOption.NmAppendRegisteredNplSets, pErrorCallBack, IntPtr.Zero, out nplPointer);
// / / Initialize Frame parser
IntPtr parserConfigPointer;
NetmonAPI.NmCreateFrameParserConfiguration(nplPointer, pErrorCallBack, IntPtr.Zero, out parserConfigPointer);
NetmonAPI.NmConfigConversation(parserConfigPointer, NmConversationConfigOption.None, true);
IntPtr ParserPointer;
NetmonAPI.NmCreateFrameParser(parserConfigPointer, out ParserPointer, NmFrameParserOptimizeOption.ParserOptimizeNone);
// / / Parse capture file
IntPtr captureFileHandle;
NetmonAPI.NmOpenCaptureFile("auto.cap", out captureFileHandle);
uint rawFrameCount;
NetmonAPI.NmGetFrameCount(captureFileHandle, out rawFrameCount);
uint frameNumber = 0;
IntPtr rawFrame;
NetmonAPI.NmGetFrame(captureFileHandle, frameNumber, out rawFrame);
IntPtr parsedFrame;
IntPtr insRawFrame;
NetmonAPI.NmParseFrame(ParserPointer, rawFrame, frameNumber, NmFrameParsingOption.FieldDisplayStringRequired | NmFrameParsingOption.FieldFullNameRequired | NmFrameParsingOption.DataTypeNameRequired, out parsedFrame, out insRawFrame);
uint fieldCount;
NetmonAPI.NmGetFieldCount(parsedFrame, out fieldCount);
uint BUFFER_SIZE = 1024;
char[] name = new char[BUFFER_SIZE * 2];
unsafe
{
fixed(char *pstr = name)
{
NetmonAPI.NmGetFieldName(parsedFrame, 0, NmParsedFieldNames.NamePath, BUFFER_SIZE * 2, pstr);
}
}
String fieldName = new String(name).Replace("\0", String.Empty);
NetmonAPI.NmCloseHandle(captureFileHandle);
}
private NetmonNplParser()
{
_ret = NetmonAPI.NmLoadNplParser(null, NmNplParserLoadingOption.NmAppendRegisteredNplSets, pErrorCallBack, IntPtr.Zero,
out _handle);
}
