private void WritePcapHeader(PcapFrame.DataLinkTypeEnum dataLinkType, bool littleEndian) { List <byte[]> headerFields = new List <byte[]>(); headerFields.Add(ToByteArray(MAGIC_NUMBER)); headerFields.Add(ToByteArray(MAJOR_VERSION_NUMBER)); headerFields.Add(ToByteArray(MINOR_VERSION_NUMBER)); headerFields.Add(ToByteArray((uint)0x00)); headerFields.Add(ToByteArray((uint)0x00)); headerFields.Add(ToByteArray((uint)0xffff)); headerFields.Add(ToByteArray((uint)dataLinkType)); this.writeLock.Wait(); try { foreach (byte[] field in headerFields) { if (littleEndian) { Array.Reverse(field); } outputStream.Write(field, 0, field.Length); } } finally { this.writeLock.Release(); } }
public PcapFileWriter(PcapFrame.DataLinkTypeEnum dataLinkType, Stream outputStream, bool autoFlush = false) : this() { this.DataLinkType = dataLinkType; this.outputStream = outputStream; this.autoFlush = autoFlush; this.WritePcapHeader(dataLinkType, false); }
public PcapParser(IPcapStreamReader pcapStreamReader, byte[] firstFourBytes) { this.pcapStreamReader = pcapStreamReader; this.metadata = new List <KeyValuePair <string, string> >(); //read pcap file header! byte[] buffer4 = new byte[4]; //32 bits is suitable byte[] buffer2 = new byte[2]; //16 bits is sometimes needed //uint wiresharkMagicNumber = 0xa1b2c3d4; //Section Header Block (mandatory) if (firstFourBytes == null || firstFourBytes.Length != 4) { buffer4 = this.pcapStreamReader.BlockingRead(4); } else { buffer4 = firstFourBytes; } if (this.ToUInt32(buffer4, false) == LIBPCAP_MAGIC_NUMBER) { this.littleEndian = false; this.metadata.Add(new KeyValuePair <string, string>("Endianness", "Big Endian")); } else if (this.ToUInt32(buffer4, true) == LIBPCAP_MAGIC_NUMBER) { this.littleEndian = true; this.metadata.Add(new KeyValuePair <string, string>("Endianness", "Little Endian")); } else { throw new System.IO.InvalidDataException("The stream is not a PCAP file. Magic number is " + this.ToUInt32(buffer4, false).ToString("X2") + " or " + this.ToUInt32(buffer4, true).ToString("X2") + " but should be " + LIBPCAP_MAGIC_NUMBER.ToString("X2") + "."); } /* major version number */ this.pcapStreamReader.BlockingRead(buffer2, 0, 2); ushort majorVersionNumber = ToUInt16(buffer2, this.littleEndian); /* minor version number */ this.pcapStreamReader.BlockingRead(buffer2, 0, 2); ushort minorVersionNumber = ToUInt16(buffer2, this.littleEndian); /* GMT to local correction */ this.pcapStreamReader.BlockingRead(buffer4, 0, 4); int timezoneOffsetSeconds = (int)ToUInt32(buffer4, this.littleEndian); /* accuracy of timestamps */ this.pcapStreamReader.BlockingRead(buffer4, 0, 4); /* max length of captured packets, in octets */ this.pcapStreamReader.BlockingRead(buffer4, 0, 4); uint maximumPacketSize = ToUInt32(buffer4, this.littleEndian); /* data link type */ this.pcapStreamReader.BlockingRead(buffer4, 0, 4); //offset = 20 = 0x14 this.dataLinkType = (PcapFrame.DataLinkTypeEnum)ToUInt32(buffer4, this.littleEndian); this.metadata.Add(new KeyValuePair <string, string>("Data Link Type", dataLinkType.ToString())); }
public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType, System.IO.FileMode fileMode, int bufferSize, bool littleEndian, FileAccess fileAccess = FileAccess.Write, FileShare fileShare = FileShare.Read) : this() { this.FramesWritten = 0; this.Filename = filename; this.DataLinkType = dataLinkType; //this.referenceTime=new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); this.outputStream = new FileStream(filename, fileMode, fileAccess, fileShare, bufferSize, FileOptions.SequentialScan); if (fileMode != FileMode.Append || outputStream.Position == 0) { this.WritePcapHeader(dataLinkType, littleEndian); } }
internal PpiPacket(Frame parentFrame, int packetStartIndex, int packetEndIndex) : base(parentFrame, packetStartIndex, packetEndIndex, "PPI") { this.ppiLength = Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 2, true); if (!this.ParentFrame.QuickParse) { base.Attributes.Add("Length", "" + ppiLength); } uint dataLinkTypeUInt = Utils.ByteConverter.ToUInt32(parentFrame.Data, packetStartIndex + 4, 4, true); this.dataLinkType = (PcapFrame.DataLinkTypeEnum)dataLinkTypeUInt; if (!this.ParentFrame.QuickParse) { base.Attributes.Add("Data Link Type", dataLinkType.ToString()); } }
public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType, System.IO.FileMode fileMode, int bufferSize, bool littleEndian) { this.framesWritten = 0; this.filename = filename; this.dataLinkType = dataLinkType; this.referenceTime = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); this.fileStream = new FileStream(filename, fileMode, FileAccess.Write, FileShare.Read, bufferSize, FileOptions.SequentialScan); this.isOpen = true; if (fileMode != FileMode.Append || fileStream.Position == 0) { List <byte[]> headerFields = new List <byte[]>(); headerFields.Add(ToByteArray(MAGIC_NUMBER)); headerFields.Add(ToByteArray(MAJOR_VERSION_NUMBER)); headerFields.Add(ToByteArray(MINOR_VERSION_NUMBER)); headerFields.Add(ToByteArray((uint)0x00)); headerFields.Add(ToByteArray((uint)0x00)); headerFields.Add(ToByteArray((uint)0xffff)); headerFields.Add(ToByteArray((uint)dataLinkType)); foreach (byte[] field in headerFields) { if (littleEndian) { Array.Reverse(field); } fileStream.Write(field, 0, field.Length); } /* * fileStream.Write(ToByteArray(MAGIC_NUMBER), 0, 4); * fileStream.Write(ToByteArray(MAJOR_VERSION_NUMBER), 0, 2); * fileStream.Write(ToByteArray(MINOR_VERSION_NUMBER), 0, 2); * fileStream.Write(ToByteArray((uint)0x00), 0, 4);//Time zone offset * fileStream.Write(ToByteArray((uint)0x00), 0, 4);//accuracy of timestamps * fileStream.Write(ToByteArray((uint)0xffff), 0, 4);//max length of captured packets, in octets * fileStream.Write(ToByteArray((uint)dataLinkType), 0, 4); * */ } }
public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType, System.IO.FileMode fileMode, int bufferSize) : this(filename, dataLinkType, fileMode, bufferSize, false) { //I prefer big endian }
//public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType) : this(filename, dataLinkType, System.IO.FileMode.Create, 262144){ public PcapFileWriter(string filename, PcapFrame.DataLinkTypeEnum dataLinkType) : this(filename, dataLinkType, System.IO.FileMode.Create, 8388608) { //nothing more needed }
public static bool TryGetPacket(out Packets.AbstractPacket packet, PcapFrame.DataLinkTypeEnum dataLinkType, Frame parentFrame, int startIndex, int endIndex) { return(TryGetPacket(out packet, GetPacketType(dataLinkType), parentFrame, startIndex, endIndex)); }
public static System.Type GetPacketType(PcapFrame.DataLinkTypeEnum dataLinkType) { Type packetType = typeof(Packets.Ethernet2Packet);//use Ethernet as default if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_ETHERNET) { packetType = typeof(Packets.Ethernet2Packet); } else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_IEEE_802_11 || dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_IEEE_802_11_WLAN_AVS) { packetType = typeof(Packets.IEEE_802_11Packet); } //802.11 after a RadioTap header else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP) { packetType = typeof(Packets.IEEE_802_11RadiotapPacket); } //Or raw IP? else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP || dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP_2 || dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP_3 || dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP4) { packetType = typeof(Packets.IPv4Packet); } else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_RAW_IP6) { packetType = typeof(Packets.IPv6Packet); } else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_CHDLC) { packetType = typeof(Packets.CiscoHdlcPacket); } else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_SLL) { packetType = typeof(Packets.LinuxCookedCapture); } else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_PRISM_HEADER) { packetType = typeof(Packets.PrismCaptureHeaderPacket); } else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_PPI) { packetType = typeof(Packets.PpiPacket); } else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_PPP) { packetType = typeof(Packets.PointToPointPacket); } else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_NULL) { packetType = typeof(Packets.NullLoopbackPacket); } else if (dataLinkType == PcapFrame.DataLinkTypeEnum.WTAP_ENCAP_ERF) { packetType = typeof(Packets.ErfFrame); } return(packetType); }