public byte GetFieldByte(string name)
{
if (this.Parser == null)
{
return(0);
}
if (!this.Parser.HasField(name))
{
return(0);
}
uint offset, bsize;
uint fieldId = this.Parser.Field(name);
if (0 == NetmonAPI.NmGetFieldOffsetAndSize(ParsedFrame, fieldId, out offset, out bsize))
{
if (bsize == 8)
{
byte uRet;
if (0 == NetmonAPI.NmGetFieldValueNumber8Bit(ParsedFrame, fieldId, out uRet))
{
return(uRet);
}
}
}
return(0);
}
public static StringBuilder GetRequestResponseRawStream(IntPtr hParsedFrame, uint payLodId, int frameCount)
{
byte[] rawHTTPByte;
char[] rawHTTPChar;
UInt32 pulFieldOffset;
UInt32 pulFieldBitLength;
UInt32 ulReturnLength;
uint errno = 0;
string tempstring = null;
StringBuilder rawHTTPStringRequest = new StringBuilder();
StringBuilder rawHTTPStringResponse = new StringBuilder();
if (payLodId != 0)
{
errno = NetmonAPI.NmGetFieldOffsetAndSize(hParsedFrame, payLodId, out pulFieldOffset, out pulFieldBitLength);
if (errno == 0)
{
rawHTTPByte = new byte[pulFieldBitLength];
unsafe
{
fixed(byte *pstr = rawHTTPByte)
{
errno = NetmonAPI.NmGetFieldValueByteArray(hParsedFrame, payLodId, pulFieldBitLength, pstr, out ulReturnLength);
tempstring = Encoding.UTF8.GetString(rawHTTPByte, 0, rawHTTPByte.Length);
rawHTTPStringRequest.Append(tempstring);
}
}
}
}
else
{
for (uint j = 0; j < frameCount; j++)
{
errno = NetmonAPI.NmGetFieldOffsetAndSize(hParsedFrame, j, out pulFieldOffset, out pulFieldBitLength);
rawHTTPChar = new char[pulFieldBitLength];
unsafe
{
fixed(char *pstr = rawHTTPChar)
{
errno = NetmonAPI.NmGetFieldValueString(hParsedFrame, j, pulFieldBitLength, pstr);
if (errno == 0)
{
rawHTTPStringRequest.Append(rawHTTPChar);
}
}
}
}
}
return(rawHTTPStringRequest);
}
/// <summary>
/// http://blogs.technet.com/b/netmon/archive/2009/10/07/using-nmapi-to-access-tcp-payload.aspx
/// use property: property.tcppayloadlength, fields: tcp.srcport, tcp.dataoffset.dataoffset to calculate the payload length, and the offset in the raw frame.
/// use NmGetPartialRawFrame to get the payload.
/// </summary>
private void GetTcpPayLoad()
{
unsafe
{
uint ret;
byte tcpHeaderSize; //
uint tcpSrcOffset, tcpSrcSize; // offset: bits
var tcpPayloadLength = PropertyValueDict[NetmonPropertyName.TcpPayloadLength];
int payloadlen;
bool result = Int32.TryParse(tcpPayloadLength.ToString(), out payloadlen);
// Allocate a buffer for payload data. The maximum length=1460 bytes
IntPtr buff = Marshal.AllocHGlobal(1500);
if (payloadlen > 0)
{
// Get the Data Offset, used to determine the TCP header size
ret = NetmonAPI.NmGetFieldValueNumber8Bit(_FrameInfoUnit.ParsedFrame, _FrameInfoUnit.FieldIdDict[NetmonFieldName.TcpDataSet], out tcpHeaderSize);
//Get the Offset of TCP.SrcPort which is the first field in TCP.
ret = NetmonAPI.NmGetFieldOffsetAndSize(_FrameInfoUnit.ParsedFrame, _FrameInfoUnit.FieldIdDict[NetmonFieldName.TcpSrcPort], out tcpSrcOffset, out tcpSrcSize);
// Read in the partial frame. The Offset is in bits. TCPHeaderSize is off by a factor of 4.
uint retlen;
uint offset = (uint)(tcpSrcOffset / 8 + tcpHeaderSize * 4);
ret = NetmonAPI.NmGetPartialRawFrame(_FrameInfoUnit.RawFrame, offset, (uint)payloadlen, (byte *)buff, out retlen);
// cast the intptr to the byte.
byte[] _payload = new byte[payloadlen];
Marshal.Copy(buff, _payload, 0, payloadlen);
//var str = Encoding.Default.GetString(_payload);
frameUnit.fieldUnit.PayLoad = _payload;
/*
* if (protocolname == "TCP")
* {
* frameUnit.fieldUnit.tcpPayLoad = _payload;
* }
* else
* {
* frameUnit.fieldUnit.httpPayLoad = _payload;
* // Console.WriteLine("http payload:");
* //Console.WriteLine(str);
* }*/
}
Marshal.Release(buff);
}
}
public byte[] GetFieldBuffer(string name)
{
if (this.Parser == null)
{
return(null);
}
if (!this.Parser.HasField(name))
{
return(null);
}
uint offset, bsize;
uint fieldId = this.Parser.Field(name);
if (0 == NetmonAPI.NmGetFieldOffsetAndSize(ParsedFrame, fieldId, out offset, out bsize))
{
if (bsize > 0)
{
uint size = bsize / 8;
byte[] bytes = new byte[bsize / 8];
UInt32 uRet;
unsafe
{
fixed(byte *ptr = bytes)
{
if (0 == NetmonAPI.NmGetFieldInBuffer(ParsedFrame, fieldId, size, ptr, out uRet))
{
return(bytes);
}
}
}
}
}
return(null);
}