/// <summary>
/// Parse bytes into a packet
/// </summary>
/// <param name="LinkLayer">
/// A <see cref="LinkLayers"/>
/// </param>
/// <param name="PacketData">
/// A <see cref="System.Byte"/>
/// </param>
/// <returns>
/// A <see cref="Packet"/>
/// </returns>
public static Packet ParsePacket(LinkLayers LinkLayer, byte[] PacketData)
{
Packet p;
var bas = new ByteArraySegment(PacketData);
log.DebugFormat("LinkLayer {0}", LinkLayer);
switch (LinkLayer)
{
case LinkLayers.Ethernet:
p = new EthernetPacket(bas);
break;
case LinkLayers.LinuxSLL:
p = new LinuxSLLPacket(bas);
break;
case LinkLayers.Ppp:
p = new PPPPacket(bas);
break;
case LinkLayers.Ieee80211:
p = new Ieee80211MacFrame(bas);
break;
case LinkLayers.Ieee80211_Radio:
p = new Ieee80211RadioPacket(bas);
break;
default:
throw new System.NotImplementedException("LinkLayer of " + LinkLayer + " is not implemented");
}
return(p);
}
public void IPv6PacketTestParsing(String pcapPath, LinkLayers linkLayer)
{
var dev = new CaptureFileReaderDevice(pcapPath);
PcapPacket p;
using (FileStream fsin = File.Open(pcapPath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
{
PcapStream ps = new PcapStream();
ps.Initialize(fsin);
p = ps.GetPacket();
Int32 packetIndex = 0;
while (p != null)
{
switch (packetIndex)
{
case 0:
VerifyPacket0(p.Packet, linkLayer);
break;
default:
Assert.Fail("didn't expect to get to packetIndex " + packetIndex);
break;
}
packetIndex++;
p = ps.GetPacket();
}
}
}
public static BpfProgram Create(LinkLayers linktype, string filter, int optimize = 1, uint netmask = 0)
{
using (var handle = LibPcapSafeNativeMethods.pcap_open_dead((int)linktype, Pcap.MAX_PACKET_SIZE))
{
return(Create(handle, filter, optimize, netmask));
}
}
// icmpv6
public void VerifyPacket0(Packet p, RawCapture rawCapture, LinkLayers linkLayer)
{
Assert.IsNotNull(p);
Console.WriteLine(p.ToString());
Assert.AreEqual(linkLayer, rawCapture.LinkLayerType);
if (linkLayer == LinkLayers.Ethernet)
{
EthernetPacket e = (EthernetPacket)p;
Assert.AreEqual(PhysicalAddress.Parse("00-A0-CC-D9-41-75"), e.SourceHwAddress);
Assert.AreEqual(PhysicalAddress.Parse("33-33-00-00-00-02"), e.DestinationHwAddress);
}
var ip = (IpPacket)p.Extract(typeof(IpPacket));
Console.WriteLine("ip {0}", ip.ToString());
Assert.AreEqual(System.Net.IPAddress.Parse("fe80::2a0:ccff:fed9:4175"), ip.SourceAddress);
Assert.AreEqual(System.Net.IPAddress.Parse("ff02::2"), ip.DestinationAddress);
Assert.AreEqual(IpVersion.IPv6, ip.Version);
Assert.AreEqual(IPProtocolType.ICMPV6, ip.Protocol);
Assert.AreEqual(16, ip.PayloadPacket.Bytes.Length, "ip.PayloadPacket.Bytes.Length mismatch");
Assert.AreEqual(255, ip.HopLimit);
Assert.AreEqual(255, ip.TimeToLive);
Assert.AreEqual(0x3a, (byte)ip.NextHeader);
Console.WriteLine("Failed: ip.ComputeIPChecksum() not implemented.");
Assert.AreEqual(1221145299, rawCapture.Timeval.Seconds);
Assert.AreEqual(453568.000, rawCapture.Timeval.MicroSeconds);
}
public AResult Handle(LinkLayers linkLayers, Packet packet, object?context, CancellationToken cancellationToken)
{
var lastResult = AResult.Continue();
foreach (var analyzer in _analyzers)
{
lastResult = analyzer.Handle(linkLayers, packet, context, cancellationToken);
if (!lastResult.IsContinue)
{
return(AResult.Stop());
}
if (lastResult.IsNewContext)
{
context = lastResult.Context;
}
}
// This way we don't leak third party assembly's
// context to outer world.
// But third party assembly can still capture
// outer world's context.
// So, is this worth it?
return(lastResult.IsContinue ?
AResult.Continue() : AResult.Stop());
}
public void IPv6PacketTestParsing(string pcapPath, LinkLayers linkLayers)
{
var dev = new CaptureFileReaderDevice(NUnitSetupClass.CaptureDirectory + pcapPath);
dev.Open();
RawCapture rawCapture;
var packetIndex = 0;
while ((rawCapture = dev.GetNextPacket()) != null)
{
var p = Packet.ParsePacket(rawCapture.GetLinkLayers(), rawCapture.Data);
Console.WriteLine("got packet");
switch (packetIndex)
{
case 0:
{
VerifyPacket0(p, rawCapture, linkLayers);
break;
}
default:
{
Assert.Fail("didn't expect to get to packetIndex " + packetIndex);
break;
}
}
packetIndex++;
}
dev.Close();
}
public void VerifyPacket1(Packet p, RawCapture rawCapture, LinkLayers linkLayers)
{
Assert.IsNotNull(p);
Console.WriteLine(p.ToString());
Assert.AreEqual(linkLayers, rawCapture.GetLinkLayers());
if (linkLayers == LinkLayers.Ethernet)
{
var e = (EthernetPacket)p;
Assert.AreEqual(PhysicalAddress.Parse("F894C22EFAD1"), e.SourceHardwareAddress);
Assert.AreEqual(PhysicalAddress.Parse("333300000016"), e.DestinationHardwareAddress);
}
var ip = p.Extract <IPv6Packet>();
Console.WriteLine("ip {0}", ip);
Assert.AreEqual(IPAddress.Parse("fe80::d802:3589:15cf:3128"), ip.SourceAddress);
Assert.AreEqual(IPAddress.Parse("ff02::16"), ip.DestinationAddress);
Assert.AreEqual(IPVersion.IPv6, ip.Version);
Assert.AreEqual(ProtocolType.IcmpV6, ip.Protocol);
Assert.AreEqual(28, ip.PayloadPacket.Bytes.Length, "ip.PayloadPacket.Bytes.Length mismatch");
Assert.AreEqual(1, ip.HopLimit);
Assert.AreEqual(1, ip.TimeToLive);
Assert.AreEqual(0x3a, (byte)ip.Protocol);
Console.WriteLine("Failed: ip.ComputeIPChecksum() not implemented.");
Assert.AreEqual(1543415539, rawCapture.Timeval.Seconds);
Assert.AreEqual(841441.000, rawCapture.Timeval.MicroSeconds);
Assert.AreEqual(1, ip.ExtensionHeaders.Count);
Assert.AreEqual(6, ip.ExtensionHeaders[0].Payload.Length);
}
// icmpv6
public void VerifyPacket0(Packet p, RawCapture rawCapture, LinkLayers linkLayers)
{
Assert.IsNotNull(p);
Console.WriteLine(p.ToString());
Assert.AreEqual(linkLayers, rawCapture.GetLinkLayers());
if (linkLayers == LinkLayers.Ethernet)
{
var e = (EthernetPacket)p;
Assert.AreEqual(PhysicalAddress.Parse("00-A0-CC-D9-41-75"), e.SourceHardwareAddress);
Assert.AreEqual(PhysicalAddress.Parse("33-33-00-00-00-02"), e.DestinationHardwareAddress);
}
var ip = p.Extract <IPPacket>();
Console.WriteLine("ip {0}", ip);
Assert.AreEqual(IPAddress.Parse("fe80::2a0:ccff:fed9:4175"), ip.SourceAddress);
Assert.AreEqual(IPAddress.Parse("ff02::2"), ip.DestinationAddress);
Assert.AreEqual(IPVersion.IPv6, ip.Version);
Assert.AreEqual(ProtocolType.IcmpV6, ip.Protocol);
Assert.AreEqual(16, ip.PayloadPacket.Bytes.Length, "ip.PayloadPacket.Bytes.Length mismatch");
Assert.AreEqual(255, ip.HopLimit);
Assert.AreEqual(255, ip.TimeToLive);
Console.WriteLine("Failed: ip.ComputeIPChecksum() not implemented.");
Assert.AreEqual(1221145299, rawCapture.Timeval.Seconds);
Assert.AreEqual(453568.000, rawCapture.Timeval.MicroSeconds);
}
public void IcmpV4Parsing(string pcapPath, LinkLayers linkLayers)
{
var dev = new CaptureFileReaderDevice(NUnitSetupClass.CaptureDirectory + pcapPath);
dev.Open();
var rawCapture = dev.GetNextPacket();
dev.Close();
// Parse an icmp request
var p = Packet.ParsePacket(rawCapture.GetLinkLayers(), rawCapture.Data);
Assert.IsNotNull(p);
Assert.AreEqual(linkLayers, rawCapture.GetLinkLayers());
var icmp = p.Extract <IcmpV4Packet>();
Console.WriteLine(icmp.GetType());
Assert.AreEqual(IcmpV4TypeCode.EchoRequest, icmp.TypeCode);
Assert.AreEqual(0xe05b, icmp.Checksum);
Assert.AreEqual(0x0200, icmp.Id);
Assert.AreEqual(0x6b00, icmp.Sequence);
// check that the message matches
const string expectedString = "abcdefghijklmnopqrstuvwabcdefghi";
var expectedData = System.Text.Encoding.ASCII.GetBytes(expectedString);
Assert.AreEqual(expectedData, icmp.Data);
}
private void MarshalRawPacket(IntPtr /* pcap_pkthdr* */ header, IntPtr data)
{
//RawCapture p;
// marshal the header
PcapHeader pcapHeader = PcapHeader.FromPointer(header);
var PacketData = new byte[pcapHeader.CaptureLength];
Marshal.Copy(data, PacketData, 0, (int)pcapHeader.CaptureLength);
LinkLayers linkType = (LinkLayers)pcap_datalink(PcapHandle);
//we're only interested in the WiFi Traffic
if (linkType == LinkLayers.Ieee80211 && PacketData.Length > 2)
{
ushort FrameFieldValue = (ushort)(PacketData[0] << 8 | PacketData[1]);
FrameControlField field = new FrameControlField(FrameFieldValue);
switch (field.SubType)
{
case FrameSubTypes.ManagementBeacon:
{
break;
}
}
}
//p = new RawCapture(LinkType, new PosixTimeval(pcapHeader.Seconds, pcapHeader.MicroSeconds), pkt_data);
}
public void IPv6PacketTestParsing(String pcapPath, LinkLayers linkLayer)
{
var dev = new CaptureFileReaderDevice(pcapPath);
dev.Open();
RawCapture rawCapture;
Int32 packetIndex = 0;
while ((rawCapture = dev.GetNextPacket()) != null)
{
var p = Packet.ParsePacket(rawCapture.LinkLayerType, rawCapture.Data);
Console.WriteLine("got packet");
switch (packetIndex)
{
case 0:
this.VerifyPacket0(p, rawCapture, linkLayer);
break;
default:
Assert.Fail("didn't expect to get to packetIndex " + packetIndex);
break;
}
packetIndex++;
}
dev.Close();
}
public void ICMPv4Parsing(String pcapPath, LinkLayers linkLayer)
{
Packet p;
using (FileStream fsin = File.Open(pcapPath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
{
PcapStream ps = new PcapStream();
ps.Initialize(fsin);
p = ps.GetPacket().Packet;
}
Assert.IsNotNull(p);
var icmp = (ICMPv4Packet)p.Extract(typeof(ICMPv4Packet));
Console.WriteLine(icmp.GetType());
Assert.AreEqual(ICMPv4TypeCodes.EchoRequest, icmp.TypeCode);
Assert.AreEqual(0xe05b, icmp.Checksum);
Assert.AreEqual(0x0200, icmp.ID);
Assert.AreEqual(0x6b00, icmp.Sequence);
// check that the message matches
String expectedString = "abcdefghijklmnopqrstuvwabcdefghi";
Byte[] expectedData = System.Text.ASCIIEncoding.ASCII.GetBytes(expectedString);
Assert.AreEqual(expectedData, icmp.Data);
}
/// <summary>Parse bytes into a packet</summary>
/// <param name="LinkLayer">
/// A <see cref="T:PacketDotNet.LinkLayers" /></param>
/// <param name="PacketData">
/// A <see cref="T:System.Byte" /></param>
/// <returns>
/// A <see cref="T:PacketDotNet.Packet" /></returns>
public static Packet ParsePacket(LinkLayers LinkLayer, byte[] PacketData)
{
ByteArraySegment bas = new ByteArraySegment(PacketData);
switch (LinkLayer)
{
case LinkLayers.Ethernet:
return((Packet) new EthernetPacket(bas));
case LinkLayers.Ppp:
return((Packet) new PPPPacket(bas));
case LinkLayers.Ieee80211:
return((Packet)MacFrame.ParsePacket(bas));
case LinkLayers.LinuxSLL:
return((Packet) new LinuxSLLPacket(bas));
case LinkLayers.Ieee80211_Radio:
return((Packet) new RadioPacket(bas));
case LinkLayers.PerPacketInformation:
return((Packet) new PpiPacket(bas));
default:
throw new NotImplementedException("LinkLayer of " + (object)LinkLayer + " is not implemented");
}
}
public void ICMPv4Parsing(String pcapPath, LinkLayers linkLayer)
{
var dev = new CaptureFileReaderDevice(pcapPath);
dev.Open();
var rawCapture = dev.GetNextPacket();
dev.Close();
// Parse an icmp request
Packet p = Packet.ParsePacket(rawCapture.LinkLayerType, rawCapture.Data);
Assert.IsNotNull(p);
Assert.AreEqual(linkLayer, rawCapture.LinkLayerType);
var icmp = (ICMPv4Packet)p.Extract(typeof(ICMPv4Packet));
Console.WriteLine(icmp.GetType());
Assert.AreEqual(ICMPv4TypeCodes.EchoRequest, icmp.TypeCode);
Assert.AreEqual(0xe05b, icmp.Checksum);
Assert.AreEqual(0x0200, icmp.ID);
Assert.AreEqual(0x6b00, icmp.Sequence);
// check that the message matches
String expectedString = "abcdefghijklmnopqrstuvwabcdefghi";
Byte[] expectedData = System.Text.ASCIIEncoding.ASCII.GetBytes(expectedString);
Assert.AreEqual(expectedData, icmp.Data);
}
public void GreIPv4Parsing()
{
var dev = new CaptureFileReaderDevice(NUnitSetupClass.CaptureDirectory + "gre_all_options.pcap");
dev.Open();
var rawCapture = dev.GetNextPacket();
dev.Close();
LinkLayers linkLayers = rawCapture.GetLinkLayers();
if (linkLayers == LinkLayers.Ethernet)
{
Console.WriteLine("Linklayer is ethernet");
// Linklayer
Packet p = Packet.ParsePacket(linkLayers, rawCapture.Data);
Assert.IsNotNull(p);
// Ethernet
EthernetPacket eth = p.Extract <EthernetPacket>();
Assert.IsNotNull(eth);
if (eth.Type == EthernetType.IPv4)
{
Console.WriteLine("IPv4 inside ethernet");
// IPv4
IPv4Packet ipv4 = eth.Extract <IPv4Packet>();
Assert.IsNotNull(ipv4);
if (ipv4.Protocol == ProtocolType.Gre)
{
Console.WriteLine("GRE inside IPv4");
// Gre
GrePacket grep = ipv4.Extract <GrePacket>();
Assert.IsNotNull(grep);
// String output
Console.WriteLine(grep.ToString());
// Get header
if (grep.HasCheckSum)
{
Console.WriteLine("GRE has checksum flag");
}
if (grep.HasKey)
{
Console.WriteLine("GRE has key flag");
}
if (grep.HasReserved)
{
Console.WriteLine("GRE has reserved flag");
}
if (grep.HasSequence)
{
Console.WriteLine("GRE has sequence flag");
}
Assert.AreEqual(grep.Protocol, EthernetType.IPv4);
}
}
}
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="LinkLayerType">
/// A <see cref="LinkLayers"/>
/// </param>
/// <param name="Timeval">
/// A <see cref="PosixTimeval"/>
/// </param>
/// <param name="Data">
/// A <see cref="System.Byte"/>
/// </param>
public RawCapture(LinkLayers LinkLayerType,
PosixTimeval Timeval,
byte[] Data)
{
this.LinkLayerType = LinkLayerType;
this.Timeval = Timeval;
this.Data = Data;
}
public RawPacket(LinkLayers LinkLayerType,
Timeval Timeval,
byte[] Data)
{
this.LinkLayerType = LinkLayerType;
this.Timeval = Timeval;
this.Data = Data;
}
public RawPacket(LinkLayers LinkLayerType,
Timeval Timeval,
byte[] Data)
{
this.LinkLayerType = LinkLayerType;
this.Timeval = Timeval;
this.Data = Data;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="LinkLayerType">
/// A <see cref="LinkLayers"/>
/// </param>
/// <param name="Timeval">
/// A <see cref="PosixTimeval"/>
/// </param>
/// <param name="Data">
/// A <see cref="byte"/>
/// </param>
public RawCapture(LinkLayers LinkLayerType,
PosixTimeval Timeval,
byte[] Data)
{
this.LinkLayerType = LinkLayerType;
this.Timeval = Timeval;
this.Data = Data;
}
public static PcapPacket GetPacket(BinaryReader readBuffer, LinkLayers LinkLayer)
{
PcapPacket value = new PcapPacket();
byte[] headerbuffer;
byte[] payloadbuffer;
long time;
headerbuffer = new byte[PACKET_HEADER_LENGTH];
if (readBuffer.Read(headerbuffer, 0, PACKET_HEADER_LENGTH) == 0)
{
return(null);
}
uint timeValSecs = BitConverter.ToUInt32(headerbuffer, 0);
uint timeValUsecs = BitConverter.ToUInt32(headerbuffer, 4);
// number of octets stored in packet saved in file
int inclLen = (int)BitConverter.ToUInt32(headerbuffer, 8);
// actual length of packet
uint origLen = BitConverter.ToUInt32(headerbuffer, 12);
time = (long)(timeValSecs * TimeSpan.TicksPerSecond + timeValUsecs * TimeSpan.TicksPerMillisecond * 1.0e-3);
payloadbuffer = new byte[inclLen];
int requestLength = inclLen;
int totalReceived = 0;
int retryCount = 0;
while (requestLength > 0)
{
int resultLength = readBuffer.Read(payloadbuffer, totalReceived, requestLength);
if (requestLength != resultLength)
{
//if it the result is length 0 and we are expecting more try a couple more times
if (resultLength == 0)
{
if (retryCount > 2)
{
return(null);
}
retryCount++;
}
}
requestLength -= resultLength;
totalReceived += resultLength;
}
try
{
value.Packet = PacketDotNet.Packet.ParsePacket(LinkLayer, payloadbuffer);
}
catch (System.ArgumentException ex)
{
throw new Exception("Error parsing packet at " + time, ex);
}
return(value);
}
public static void Open(this CaptureFileWriterDevice device, LinkLayers linkLayerType = LinkLayers.Ethernet)
{
var configuration = new DeviceConfiguration()
{
LinkLayerType = linkLayerType,
};
device.Open(configuration);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="LinkLayerType">
/// A <see cref="LinkLayers"/>
/// </param>
/// <param name="Timeval">
/// A <see cref="PosixTimeval"/>
/// </param>
/// <param name="Data">
/// A <see cref="byte"/>
/// </param>
public RawCapture(LinkLayers LinkLayerType,
PosixTimeval Timeval,
byte[] Data,
int?packetLength = null)
{
this.LinkLayerType = LinkLayerType;
this.Timeval = Timeval;
this.Data = Data;
this.PacketLength = packetLength ?? Data?.Length ?? 0;
}
public PcapHeader(BinaryReader readBuffer)
{
byte[] Buffer = new byte[20];
readBuffer.Read(Buffer, 0, 20);
MajorVersion = BitConverter.ToUInt16(Buffer, 0);
MinorVersion = BitConverter.ToUInt16(Buffer, 2);
ThisZone = BitConverter.ToUInt32(Buffer, 4);
SigFigs = BitConverter.ToUInt32(Buffer, 8);
SnapLen = BitConverter.ToUInt32(Buffer, 12);
LinkType = (LinkLayers)BitConverter.ToUInt32(Buffer, 16);
}
public virtual AResult Handle(LinkLayers linkLayers, Packet packet, object?context, CancellationToken cancellationToken)
{
while (packet != null)
{
if (packet is T target)
{
return(Handle(linkLayers, target, context, cancellationToken));
}
packet = packet.PayloadPacket;
}
return(AResult.Continue());
}
public static Packet ParsePacket(LinkLayers LinkLayer, PosixTimeval Timeval, byte[] PacketData)
{
LinkLayers layers = LinkLayer;
if (layers != LinkLayers.Ethernet)
{
if (layers != LinkLayers.LinuxSLL)
{
throw new NotImplementedException("LinkLayer of " + LinkLayer + " is not implemented");
}
return(new LinuxSLLPacket(PacketData, 0, Timeval));
}
return(new EthernetPacket(PacketData, 0, Timeval));
}
public AResult Handle(LinkLayers linkLayers, Packet packet, object?context, CancellationToken cancellationToken)
{
IAnalyzer analyzer;
lock (_locker)
{
if (_isDisposed)
{
throw new ObjectDisposedException(nameof(HotReloadAnalyzer));
}
analyzer = _currentAnalyzer !; // If we are not disposed, analyzer exists.
}
return(analyzer.Handle(linkLayers, packet, context, cancellationToken));
}
/// <summary> Fetch the header length associated with various link-layer types.</summary>
/// <param name="layerType">the link-layer code
/// </param>
/// <returns> the length of the header for the specified link-layer
/// </returns>
public static int LinkLayerLength(LinkLayers layerType)
{
switch (layerType)
{
case LinkLayers.ARCNET:
return 6;
case LinkLayers.SLIP:
return 16;
case LinkLayers.SLIP_BSD:
return 24;
case LinkLayers.Null:
case LinkLayers.Loop:
return 4;
case LinkLayers.PPP:
case LinkLayers.CiscoHDLC:
case LinkLayers.PPPSerial:
return 4;
case LinkLayers.PPP_BSD:
return 24;
case LinkLayers.FDDI:
return 21;
case LinkLayers.IEEE802_11:
return 22;
case LinkLayers.ATM_RFC1483:
return 8;
case LinkLayers.Raw:
return 0;
case LinkLayers.ATM_CLIP:
return 8;
case LinkLayers.LinuxSLL:
return 16;
case LinkLayers.Ethernet10Mb:
default:
return 14;
}
}
/// <summary> Fetch the header length associated with various link-layer types.</summary>
/// <param name="layerType">the link-layer code
/// </param>
/// <returns> the length of the header for the specified link-layer
/// </returns>
public static int LinkLayerLength(LinkLayers layerType)
{
switch (layerType)
{
case LinkLayers.ARCNET:
return(6);
case LinkLayers.SLIP:
return(16);
case LinkLayers.SLIP_BSD:
return(24);
case LinkLayers.Null:
case LinkLayers.Loop:
return(4);
case LinkLayers.PPP:
case LinkLayers.CiscoHDLC:
case LinkLayers.PPPSerial:
return(4);
case LinkLayers.PPP_BSD:
return(24);
case LinkLayers.FDDI:
return(21);
case LinkLayers.IEEE802_11:
return(22);
case LinkLayers.ATM_RFC1483:
return(8);
case LinkLayers.Raw:
return(0);
case LinkLayers.ATM_CLIP:
return(8);
case LinkLayers.LinuxSLL:
return(16);
case LinkLayers.Ethernet10Mb:
default:
return(14);
}
}
/// <summary> Fetch the offset into the link-layer header where the protocol code
/// can be found. Returns -1 if there is no embedded protocol code.
/// </summary>
/// <param name="layerType">the link-layer code
/// </param>
/// <returns> the offset in bytes
/// </returns>
public static int ProtocolOffset(LinkLayers layerType)
{
switch (layerType)
{
case LinkLayers.ARCNET:
return(2);
case LinkLayers.SLIP:
return(-1);
case LinkLayers.SLIP_BSD:
return(-1);
case LinkLayers.Null:
case LinkLayers.Loop:
return(0);
case LinkLayers.PPP:
case LinkLayers.CiscoHDLC:
case LinkLayers.PPPSerial:
return(2);
case LinkLayers.PPP_BSD:
return(5);
case LinkLayers.FDDI:
return(13);
case LinkLayers.IEEE802_11:
return(14);
case LinkLayers.ATM_RFC1483:
return(6);
case LinkLayers.Raw:
return(-1);
case LinkLayers.ATM_CLIP:
return(6);
case LinkLayers.LinuxSLL:
return(14);
case LinkLayers.Ethernet10Mb:
default:
return(12);
}
}
/// <summary>
/// Parse bytes into a packet
/// </summary>
/// <param name="linkLayer">
/// A <see cref="LinkLayers" />
/// </param>
/// <param name="packetData">
/// A <see cref="System.Byte" />
/// </param>
/// <returns>
/// A <see cref="Packet" />
/// </returns>
public static Packet ParsePacket(LinkLayers linkLayer, byte[] packetData)
{
Packet p;
var bas = new ByteArraySegment(packetData);
Log.DebugFormat("LinkLayer {0}", linkLayer);
switch (linkLayer)
{
case LinkLayers.Ethernet:
p = new EthernetPacket(bas);
break;
case LinkLayers.LinuxSLL:
p = new LinuxSLLPacket(bas);
break;
case LinkLayers.Ppp:
p = new PPPPacket(bas);
break;
case LinkLayers.Ieee80211:
p = MacFrame.ParsePacket(bas);
break;
case LinkLayers.Ieee80211_Radio:
p = new RadioPacket(bas);
break;
case LinkLayers.PerPacketInformation:
p = new PpiPacket(bas);
break;
//http://sourceforge.net/p/packetnet/patches/1/
case LinkLayers.Raw:
var ipVer = (packetData[0] & 0xf0) >> 4;
p = (ipVer == 4)? new IPv4Packet(bas) : new IPv6Packet(bas) as Packet;
break;
default:
throw new NotImplementedException("LinkLayer of " + linkLayer + " is not implemented");
}
return(p);
}
private static Boolean ParseLinkLayer(ReadOnlySpan <Byte> linkData,
LinkLayers linkType,
out ReadOnlySpan <Byte> networkData,
out EthernetPacketType ethernetProtocol)
{
networkData = ArraySegment <Byte> .Empty;
ethernetProtocol = EthernetPacketType.None;
switch (linkType)
{
case LinkLayers.Ethernet:
var ethernetTypePosition = EthernetFields.TypePosition;
ethernetProtocol = (EthernetPacketType)((linkData[ethernetTypePosition] << 8) | linkData[ethernetTypePosition + 1]);
networkData = linkData.Slice(EthernetFields.HeaderLength, linkData.Length - EthernetFields.HeaderLength); // 4B Ethernet trailer (CRC)
return(true);
default:
return(false);
}
}
public static string GetProtocol(LinkLayers type, Byte[] data)
{
ip_address ip;
ip.byte1 = data[0];
ip.byte2 = data[1];
ip.byte3 = data[2];
ip.byte4 = data[3];
ip_header ip_h;
ip_h.proto = data[13];
string packet = "" + PacketDotNet.Packet.ParsePacket(type, data);
switch (ip_h.proto)
{
case 0:
return "TCP" + ip_h.proto.ToString("X2");
case 6:
return "ARP" + ip_h.proto.ToString("X2");
case 221:
return "UDP" + ip_h.proto.ToString("X2");
}
return "Not Known" + ip_h.proto.ToString("X2");
}
/// <summary>
/// Ges the flow key for the given <paramref name="frame"/>.
/// </summary>
/// <param name="linkLayer">The link layer of the frame.</param>
/// <param name="frame">The frame bytes.</param>
/// <returns>The flow kye of the frame.</returns>
public FlowKey GetFlowKey(LinkLayers linkLayer, Span <byte> frame)
{
var packet = Packet.ParsePacket(linkLayer, frame.ToArray());
return(_packetKeyProvider.GetKey(packet));
}
/// <summary> Convert captured packet data into an object.</summary>
public static Packet dataToPacket(LinkLayers linkType, byte[] bytes, Timeval tv)
{
EthernetPacketType ethProtocol;
// retrieve the length of the headers associated with this link layer type.
// this length is the offset to the header embedded in the packet.
int byteOffsetToEthernetPayload = LinkLayer.LinkLayerLength(linkType);
// extract the protocol code for the type of header embedded in the
// link-layer of the packet
int offset = LinkLayer.ProtocolOffset(linkType);
if (offset == -1)
{
// if there is no embedded protocol, assume IpV4
ethProtocol = EthernetPacketType.IPv4;
}
else
{
ethProtocol = (EthernetPacketType)ArrayHelper.extractInteger(bytes, offset, EthernetFields_Fields.ETH_CODE_LEN);
}
string errorString;
Packet parsedPacket = null;
try
{
// try to recognize the ethernet type..
switch (ethProtocol)
{
// arp
case EthernetPacketType.ARP:
parsedPacket = new ARPPacket(byteOffsetToEthernetPayload, bytes, tv);
break;
case EthernetPacketType.IPv6:
case EthernetPacketType.IPv4:
try
{
// ethernet level code is recognized as IP, figure out what kind..
int ipProtocol = IPProtocol.extractProtocol(byteOffsetToEthernetPayload, bytes);
switch (ipProtocol)
{
case (int)IPProtocol.IPProtocolType.ICMP:
parsedPacket = new ICMPPacket(byteOffsetToEthernetPayload, bytes, tv);
break;
case (int)IPProtocol.IPProtocolType.IGMP:
parsedPacket = new IGMPPacket(byteOffsetToEthernetPayload, bytes, tv);
break;
case (int)IPProtocol.IPProtocolType.TCP:
parsedPacket = new TCPPacket(byteOffsetToEthernetPayload, bytes, tv);
break;
case (int)IPProtocol.IPProtocolType.UDP:
parsedPacket = new UDPPacket(byteOffsetToEthernetPayload, bytes, tv);
break;
// unidentified ip..
default:
parsedPacket = new IPPacket(byteOffsetToEthernetPayload, bytes, tv);
break;
}
// check that the parsed packet is valid
if (!parsedPacket.IsValid(out errorString))
{
throw new PcapException(errorString);
}
else
{
return parsedPacket;
}
}
catch
{
// error parsing the specific ip packet type, parse as a generic IPPacket
parsedPacket = new IPPacket(byteOffsetToEthernetPayload, bytes, tv);
// check that the parsed packet is valid
if (!parsedPacket.IsValid(out errorString))
{
throw new PcapException(errorString);
}
else
{
return parsedPacket;
}
}
// ethernet level code not recognized, default to anonymous packet..
default:
parsedPacket = new EthernetPacket(byteOffsetToEthernetPayload, bytes, tv);
break;
}
return parsedPacket;
}
catch
{
// we know we have at least an ethernet packet, so return that
return new EthernetPacket(byteOffsetToEthernetPayload, bytes, tv);
}
}
/// <summary> Convert captured packet data into an object.</summary>
public static Packet dataToPacket(LinkLayers linkType, byte[] bytes)
{
return dataToPacket(linkType, bytes, new Timeval(0, 0));
}
/// <summary> Fetch the offset into the link-layer header where the protocol code
/// can be found. Returns -1 if there is no embedded protocol code.
/// </summary>
/// <param name="layerType">the link-layer code
/// </param>
/// <returns> the offset in bytes
/// </returns>
public static int ProtocolOffset(LinkLayers layerType)
{
switch (layerType)
{
case LinkLayers.ARCNET:
return 2;
case LinkLayers.SLIP:
return -1;
case LinkLayers.SLIP_BSD:
return -1;
case LinkLayers.Null:
case LinkLayers.Loop:
return 0;
case LinkLayers.PPP:
case LinkLayers.CiscoHDLC:
case LinkLayers.PPPSerial:
return 2;
case LinkLayers.PPP_BSD:
return 5;
case LinkLayers.FDDI:
return 13;
case LinkLayers.IEEE802_11:
return 14;
case LinkLayers.ATM_RFC1483:
return 6;
case LinkLayers.Raw:
return -1;
case LinkLayers.ATM_CLIP:
return 6;
case LinkLayers.LinuxSLL:
return 14;
case LinkLayers.Ethernet10Mb:
default:
return 12;
}
}
public static PacketData Parse(ReadOnlySpan <byte> bytes)
{
if (bytes.Length < MinimumLength)
{
throw new TzspUnpackException($"Packet length is < {MinimumLength}.");
}
var state = State.Version;
LinkLayers linkLayer = LinkLayers.Null;
for (int i = 0; i < bytes.Length; ++i)
{
switch (state)
{
case State.Version:
if (Version != bytes[i])
{
throw new TzspUnpackException($"Version number mismatch. {Version} != {bytes[i]}.");
}
state = State.Type;
break;
case State.Type:
if (bytes[i] > 5)
{
throw new TzspUnpackException($"Invalid type value {bytes[i]}.");
}
state = State.Protocol;
break;
case State.Protocol:
ushort protocol = (ushort)((bytes[i] << 8) | (bytes[i + 1]));
i += 1;
linkLayer = GetLinkLayerFromProtocol(protocol);
state = State.TaggedFields;
break;
case State.TaggedFields:
for (int j = i; j < bytes.Length;)
{
var type = bytes[j];
if (type == TagPadding)
{
j += 1;
continue;
}
if (type == TagEnd)
{
i = j;
break;
}
var tagLength = bytes[j + 1];
j += 2 + tagLength;
}
state = State.Packet;
break;
case State.Packet:
return(new PacketData(linkLayer, bytes.Slice(i)));
}
}
throw new TzspUnpackException("Invalid TZSP packet structure (missing bytes).");
}
public static Packet ParsePacket(LinkLayers LinkLayer, PosixTimeval Timeval, byte[] PacketData)
{
LinkLayers layers = LinkLayer;
if (layers != LinkLayers.Ethernet)
{
if (layers != LinkLayers.LinuxSLL)
{
throw new NotImplementedException("LinkLayer of " + LinkLayer + " is not implemented");
}
return new LinuxSLLPacket(PacketData, 0, Timeval);
}
return new EthernetPacket(PacketData, 0, Timeval);
}
