// PCAPNG // Physical File Layout // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // | SHB | IDB | EPB | EPB | ... | EPB | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ public void writePacket(EventRecord record, byte[] headerRecord = null) { EnhancedPacketBlock packet = null; if (headerRecord != null && NdisEtwMetadata.isNdisEtwMetadata(headerRecord)) { NdisEtwMetadata header = new NdisEtwMetadata(headerRecord); packet = new EnhancedPacketBlock(record, header, maxPacketSize); packetsWithHeaders++; } else { packet = new EnhancedPacketBlock(record, maxPacketSize); } totalSectionCount += packet.totalByteLength; packetCount++; fileWriter.Write(packet.totalBytes); }
public static long ConvertEtlToPcap(string source, string destination, UInt32 maxPacketSize, UInt32 networkType = 1) { int result = 0; var networkTrace = new Guid("{00000001-0000-0000-0000-000000000000}"); var ndisProviderId = new Guid("{2ed6006e-4729-4609-b423-3ee7bcd678ef}"); using (BinaryWriter writer = new BinaryWriter(File.Open(destination, FileMode.Create))) { pcapng ngFile = null; if (destination.EndsWith(".pcapng")) { ngFile = new pcapng(writer, maxPacketSize, (UInt16)networkType); } else { UInt32 magic_number = 0xa1b2c3d4; UInt16 version_major = 2; UInt16 version_minor = 4; Int32 thiszone = 0; UInt32 sigfigs = 0; UInt32 snaplen = maxPacketSize; UInt32 network = networkType; writer.Write(magic_number); writer.Write(version_major); writer.Write(version_minor); writer.Write(thiszone); writer.Write(sigfigs); writer.Write(snaplen); writer.Write(network); } using (var reader = new EventLogReader(source, PathType.FilePath)) { EventRecord record; List <byte> header = new List <byte>(); while ((record = reader.ReadEvent()) != null) { using (record) { if (record.ActivityId == networkTrace || record.ProviderId == ndisProviderId) { if (ngFile != null && NdisEtwMetadata.isNdisEtwMetadata(record)) { header.Clear(); header.AddRange(NdisEtwMetadata.NdisEtwMetadataBytes(record)); continue; } result++; if (ngFile != null) { if (header.Count > 0) { ngFile.writePacket(record, header.ToArray()); } else { ngFile.writePacket(record); } header.Clear(); } else { DateTime timeCreated = (DateTime)record.TimeCreated; UInt32 ts_sec = (UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds); UInt32 ts_usec = (UInt32)(((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalMilliseconds) - ((UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds * 1000))) * 1000; UInt32 incl_len = (UInt32)record.Properties[2].Value; if (incl_len > maxPacketSize) { Console.WriteLine($"Packet size of {incl_len} exceeded max packet size {maxPacketSize}, packet ignored"); } UInt32 orig_len = incl_len; writer.Write(ts_sec); writer.Write(ts_usec); writer.Write(incl_len); writer.Write(orig_len); writer.Write((byte[])record.Properties[3].Value); } } } } if (ngFile != null) { ngFile.UpdateHeaderBlock(); } return(result); } } }