/// <summary> Convert captured packet data into an object.</summary> public static Packet dataToPacket(LinkLayers linkType, byte[] bytes, Timeval tv) { EthernetPacketType ethProtocol; // retrieve the length of the headers associated with this link layer type. // this length is the offset to the header embedded in the packet. int byteOffsetToEthernetPayload = LinkLayer.LinkLayerLength(linkType); // extract the protocol code for the type of header embedded in the // link-layer of the packet int offset = LinkLayer.ProtocolOffset(linkType); if (offset == -1) { // if there is no embedded protocol, assume IpV4 ethProtocol = EthernetPacketType.IPv4; } else { ethProtocol = (EthernetPacketType)ArrayHelper.extractInteger(bytes, offset, EthernetFields_Fields.ETH_CODE_LEN); } string errorString; Packet parsedPacket = null; try { // try to recognize the ethernet type.. switch (ethProtocol) { // arp case EthernetPacketType.ARP: parsedPacket = new ARPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case EthernetPacketType.IPv6: case EthernetPacketType.IPv4: try { // ethernet level code is recognized as IP, figure out what kind.. int ipProtocol = IPProtocol.extractProtocol(byteOffsetToEthernetPayload, bytes); switch (ipProtocol) { case (int)IPProtocol.IPProtocolType.ICMP: parsedPacket = new ICMPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case (int)IPProtocol.IPProtocolType.IGMP: parsedPacket = new IGMPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case (int)IPProtocol.IPProtocolType.TCP: parsedPacket = new TCPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case (int)IPProtocol.IPProtocolType.UDP: parsedPacket = new UDPPacket(byteOffsetToEthernetPayload, bytes, tv); break; // unidentified ip.. default: parsedPacket = new IPPacket(byteOffsetToEthernetPayload, bytes, tv); break; } // check that the parsed packet is valid if (!parsedPacket.IsValid(out errorString)) { throw new PcapException(errorString); } else { return parsedPacket; } } catch { // error parsing the specific ip packet type, parse as a generic IPPacket parsedPacket = new IPPacket(byteOffsetToEthernetPayload, bytes, tv); // check that the parsed packet is valid if (!parsedPacket.IsValid(out errorString)) { throw new PcapException(errorString); } else { return parsedPacket; } } // ethernet level code not recognized, default to anonymous packet.. default: parsedPacket = new EthernetPacket(byteOffsetToEthernetPayload, bytes, tv); break; } return parsedPacket; } catch { // we know we have at least an ethernet packet, so return that return new EthernetPacket(byteOffsetToEthernetPayload, bytes, tv); } }
internal static void UpdateArpNode(TreeView treeView, ARPPacket arpPacket) { TreeNode arpNode = treeView.Nodes["ARP"]; if (arpNode == null) { arpNode = AddArpNode(treeView); } arpNode.Text = String.Format("Address Resolution Protocol ({0})", DataStructures.GetARPOpDescription(arpPacket.ARPOperation)); arpNode.Nodes["HwType"].Text = String.Format("Hardware type: {0} (0x{1:X4})", DataStructures.GetARPHwTypeDescription(arpPacket.ARPHwType), arpPacket.ARPHwType); arpNode.Nodes["ProtocolType"].Text = String.Format("Protocol type: {0} (0x{1:X4})", DataStructures.GetEtherTypeDescription((EthernetPacketType)arpPacket.ARPProtocolType), arpPacket.ARPProtocolType); arpNode.Nodes["HwSize"].Text = String.Format("Hardware size: {0}", arpPacket.ARPHwLength); arpNode.Nodes["ProtocolSize"].Text = String.Format("Protocol size: {0}", arpPacket.ARPProtocolLength); arpNode.Nodes["Opcode"].Text = String.Format("Operation: {0} (0x{1:X4})", DataStructures.GetARPOpDescription(arpPacket.ARPOperation), arpPacket.ARPOperation); arpNode.Nodes["SenderHwAddress"].Text = String.Format("Sender MAC address: {0}", GetHyphenatedHwAddress(arpPacket.ARPSenderHwAddress)); arpNode.Nodes["SenderIPAddress"].Text = String.Format("Sender IP address: {0}", arpPacket.ARPSenderProtoAddress); arpNode.Nodes["TargetHwAddress"].Text = String.Format("Target MAC address: {0}", GetHyphenatedHwAddress(arpPacket.ARPTargetHwAddress)); arpNode.Nodes["TargetIPAddress"].Text = String.Format("Target IP address: {0}", arpPacket.ARPTargetProtoAddress); }
private ARPPacket BuildARP(PhysicalAddress localMAC, System.Net.IPAddress localIP) { ARPPacket arp = new ARPPacket(14, new byte[60]); // arp fields arp.ARPHwLength = 6; arp.ARPHwType = ARPFields_Fields.ARP_ETH_ADDR_CODE; arp.ARPProtocolLength = 4; arp.ARPProtocolType = ARPFields_Fields.ARP_IP_ADDR_CODE; arp.ARPSenderHwAddress = localMAC; arp.ARPSenderProtoAddress = localIP; // ether fields arp.SourceHwAddress = localMAC; arp.EthernetProtocol = EthernetPacket.EtherType.ARP; return arp; }
/// <summary> Convert captured packet data into an object.</summary> public static Packet dataToPacket(LinkLayers linkType, byte[] bytes, Timeval tv) { EthernetPacketType ethProtocol; // retrieve the length of the headers associated with this link layer type. // this length is the offset to the header embedded in the packet. int byteOffsetToEthernetPayload = LinkLayer.LinkLayerLength(linkType); // extract the protocol code for the type of header embedded in the // link-layer of the packet int offset = LinkLayer.ProtocolOffset(linkType); if (offset == -1) { // if there is no embedded protocol, assume IpV4 ethProtocol = EthernetPacketType.IPv4; } else { ethProtocol = (EthernetPacketType)ArrayHelper.extractInteger(bytes, offset, EthernetFields_Fields.ETH_CODE_LEN); } string errorString; Packet parsedPacket = null; try { // try to recognize the ethernet type.. switch (ethProtocol) { // arp case EthernetPacketType.ARP: parsedPacket = new ARPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case EthernetPacketType.IPv6: case EthernetPacketType.IPv4: try { // ethernet level code is recognized as IP, figure out what kind.. int ipProtocol = IPProtocol.extractProtocol(byteOffsetToEthernetPayload, bytes); switch (ipProtocol) { case (int)IPProtocol.IPProtocolType.ICMP: parsedPacket = new ICMPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case (int)IPProtocol.IPProtocolType.IGMP: parsedPacket = new IGMPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case (int)IPProtocol.IPProtocolType.TCP: parsedPacket = new TCPPacket(byteOffsetToEthernetPayload, bytes, tv); break; case (int)IPProtocol.IPProtocolType.UDP: parsedPacket = new UDPPacket(byteOffsetToEthernetPayload, bytes, tv); break; // unidentified ip.. default: parsedPacket = new IPPacket(byteOffsetToEthernetPayload, bytes, tv); break; } // check that the parsed packet is valid if (!parsedPacket.IsValid(out errorString)) { throw new PcapException(errorString); } else { return(parsedPacket); } } catch { // error parsing the specific ip packet type, parse as a generic IPPacket parsedPacket = new IPPacket(byteOffsetToEthernetPayload, bytes, tv); // check that the parsed packet is valid if (!parsedPacket.IsValid(out errorString)) { throw new PcapException(errorString); } else { return(parsedPacket); } } // ethernet level code not recognized, default to anonymous packet.. default: parsedPacket = new EthernetPacket(byteOffsetToEthernetPayload, bytes, tv); break; } return(parsedPacket); } catch { // we know we have at least an ethernet packet, so return that return(new EthernetPacket(byteOffsetToEthernetPayload, bytes, tv)); } }