public PacketDetials(Packet packet) { this.packet = packet; ethernetPacket = EthernetPacket.GetEncapsulated(packet); if (ethernetPacket != null) { typeName = "Ethernet"; } ipPacket = IpPacket.GetEncapsulated(packet); if (ipPacket != null) { typeName = "Ip"; } arpPacket = ARPPacket.GetEncapsulated(packet); if (arpPacket != null) { typeName = "ARP"; } icmpv4Packet = ICMPv4Packet.GetEncapsulated(packet); if (icmpv4Packet != null) { typeName = "ICMPv4"; } icmpv6Packet = ICMPv6Packet.GetEncapsulated(packet); if (icmpv6Packet != null) { typeName = "ICMPv6"; } igmpv2Packet = IGMPv2Packet.GetEncapsulated(packet); if (igmpv2Packet != null) { typeName = "IGMPv2"; } pppoePacket = PPPoEPacket.GetEncapsulated(packet); if (pppoePacket != null) { typeName = "PPPoE"; } pppPacket = PPPPacket.GetEncapsulated(packet); if (pppPacket != null) { typeName = "PPP"; } tcpPacket = TcpPacket.GetEncapsulated(packet); if (tcpPacket != null) { typeName = "TCP"; } udpPacket = UdpPacket.GetEncapsulated(packet); if (udpPacket != null) { typeName = "UDP"; } }
/// <summary> /// 以太网 /// </summary> /// <param name="packet"></param> private void Ethernet(Packet packet) { EthernetPacket e = EthernetPacket.GetEncapsulated(packet); if (EthernetNode == null) { EthernetNode = new TreeNode("EthernetII"); EthernetNode.Name = "Ethernet"; EthernetNode.ImageIndex = 0; EthernetNode.SelectedImageIndex = 0; } EthernetNode.Nodes.Clear(); EthernetNode.Nodes.Add("Destination: " + Format.MacFormat(e.DestinationHwAddress.ToString())); EthernetNode.Nodes.Add("Source: " + Format.MacFormat(e.SourceHwAddress.ToString())); EthernetNode.Nodes.Add("Type: " + e.Type.ToString() + " [0x" + e.Type.ToString("X") + "]"); Tree.Nodes.Add(EthernetNode); switch (e.Type) { case EthernetPacketType.Arp: //ARP协议 ARPPacket arp = ARPPacket.GetEncapsulated(packet); Arp(arp); break; case EthernetPacketType.IpV4: //IP协议 case EthernetPacketType.IpV6: IpPacket ip = IpPacket.GetEncapsulated(packet); IP(ip); break; case EthernetPacketType.WakeOnLan: //网络唤醒协议 WakeOnLanPacket wake = WakeOnLanPacket.GetEncapsulated(packet); Wake_on_Lan(wake); break; case EthernetPacketType.LLDP: //链路层发现协议 LLDPPacket ll = LLDPPacket.GetEncapsulated(packet); LLDPProtocol(ll); break; case EthernetPacketType.PointToPointProtocolOverEthernetDiscoveryStage: case EthernetPacketType.PPPoE: PPPoEPacket pppoe = PPPoEPacket.GetEncapsulated(packet); PPPOE(pppoe); break; case EthernetPacketType.None: //无可用协议 default: PayLoadData = e.PayloadData; break; } }
private void device_OnPacketArrival(object sender, CaptureEventArgs packet) { Packet packetOuter = Packet.ParsePacket(packet.Packet.LinkLayerType, packet.Packet.Data); ARPPacket arpPacket = ARPPacket.GetEncapsulated(packetOuter); if (CaptureDeviceHelpers.CheckIfArpReplyIsForUs(arpPacket, _ipsInSubnet, _onlineClients)) { _onlineClients.Add(new Target { Ip = arpPacket.SenderProtocolAddress.ToString(), Mac = arpPacket.SenderHardwareAddress.ToString() }); } }
/// <summary> /// GRE封装的下层协议 /// </summary> /// <param name="data"></param> /// <param name="e"></param> private void NextGRE(byte[] data, EthernetProtocolType e) { if (data.Length <= 0) { return; } switch (e) { case EthernetProtocolType.PPP: var ppp = new TwzyProtocol.PPPPacket(data); if (ppp != null) { PPP(ppp); } break; case EthernetProtocolType.Arp: //ARP协议 ARPPacket arp = ARPPacket.GetEncapsulated(packet); Arp(arp); break; case EthernetProtocolType.IpV4: //IP协议 case EthernetProtocolType.IpV6: IpPacket ip = IpPacket.GetEncapsulated(packet); IP(ip); break; case EthernetProtocolType.WakeOnLan: //网络唤醒协议 WakeOnLanPacket wake = WakeOnLanPacket.GetEncapsulated(packet); Wake_on_Lan(wake); break; case EthernetProtocolType.LLDP: //链路层发现协议 LLDPPacket ll = LLDPPacket.GetEncapsulated(packet); LLDPProtocol(ll); break; case EthernetProtocolType.PointToPointProtocolOverEthernetDiscoveryStage: case EthernetProtocolType.PPPoE: PPPoEPacket pppoe = PPPoEPacket.GetEncapsulated(packet); PPPOE(pppoe); break; case EthernetProtocolType.None: //无可用协议 break; } }
/// <summary> /// Processes the specified packet capture. /// </summary> /// <param name='capture'> /// The raw data captured from the interface. /// </param> public DataPacket Process(RawCapture capture) { var dpacket = new DataPacket(); //Convert the raw data from the interface to a packet. var spacket = Packet.ParsePacket(capture.LinkLayerType, capture.Data); var ip = IpPacket.GetEncapsulated(spacket); /* * Determine if the packet is a TCP packet. * If it is map each of the fields of the packet to the * new storage structure. */ var tcp = TcpPacket.GetEncapsulated(spacket); if (tcp != null && ip != null) { dpacket.IpAddressSource = ip.SourceAddress.ToString(); dpacket.IpAddressDestination = ip.DestinationAddress.ToString(); dpacket.PortSource = tcp.SourcePort; dpacket.PortDestination = tcp.DestinationPort; dpacket.Payload = tcp.PayloadData; dpacket.Protocol = NetworkProtocol.tcp; dpacket.Timestamp = DateTime.Now; //Notify the DNS worker thread that a new packet needs lookup. lock (DnsLookupQueue) { DnsLookupQueue.Enqueue(dpacket); } WaitHandle.Set(); return(dpacket); } /* * Determine if the packet is an UDP packet. * If it is map each of the fields of the packet to the * new storage structure. */ var udp = UdpPacket.GetEncapsulated(spacket); if (udp != null && ip != null) { dpacket.IpAddressSource = ip.SourceAddress.ToString(); dpacket.IpAddressDestination = ip.DestinationAddress.ToString(); dpacket.PortSource = udp.SourcePort; dpacket.PortDestination = udp.DestinationPort; dpacket.Payload = udp.PayloadData; dpacket.Protocol = NetworkProtocol.udp; dpacket.Timestamp = DateTime.Now; //Notify the DNS worker thread that a new packet needs lookup. lock (DnsLookupQueue) { DnsLookupQueue.Enqueue(dpacket); } WaitHandle.Set(); return(dpacket); } /* * Determine if the packet is an ICMP packet. * If it is map each of the fields of the packet to the * new storage structure. */ var icmp = ICMPv4Packet.GetEncapsulated(spacket); if (icmp != null && ip != null) { dpacket.IpAddressSource = ip.SourceAddress.ToString(); dpacket.IpAddressDestination = ip.DestinationAddress.ToString(); dpacket.Type = icmp.TypeCode.ToString(); dpacket.Payload = icmp.PayloadData; dpacket.Protocol = NetworkProtocol.icmp; dpacket.Timestamp = DateTime.Now; //Notify the DNS worker thread that a new packet needs lookup. lock (DnsLookupQueue) { DnsLookupQueue.Enqueue(dpacket); } WaitHandle.Set(); return(dpacket); } /* * Determine if the packet is an ARP packet. * If it is map each of the fields of the packet to the * new storage structure. */ var arp = ARPPacket.GetEncapsulated(spacket); if (arp != null) { dpacket.Timestamp = DateTime.Now; dpacket.HardwareAddressSource = arp.SenderHardwareAddress.ToString(); dpacket.HardwareAddressTarget = arp.TargetHardwareAddress.ToString(); dpacket.Protocol = NetworkProtocol.arp; dpacket.Payload = spacket.PayloadData; return(dpacket); } //Console.WriteLine(" UNKNOWN TYPE: " + ((EthernetPacket)spacket).Type.ToString()); return(null); }
/// <summary> /// 获取网关IP /// </summary> /// <param name="destIP"></param> /// <returns></returns> public PhysicalAddress Resolve(IPAddress destIP) { //构造ARP请求包 //var request = getSenderPacket(IPTOBYTE(LocalIP.ToString()), IPTOBYTE(destIP.ToString()),MACTOBYTE( LocalMAC.ToString())); var request = BuildRequest(destIP, LocalMAC, LocalIP); //创建一个只允许读取ARP回复的“TCPDUMP”过滤器 String arpFilter = "arp and ether dst " + LocalMAC.ToString(); //打开设备设置20ms的超时 _device.Open(DeviceMode.Promiscuous, 20); //设置过滤器 _device.Filter = arpFilter; // set a last request time that will trigger sending the // arp request immediately var lastRequestTime = DateTime.FromBinary(0); var requestInterval = new TimeSpan(0, 0, 1); PacketDotNet.ARPPacket arpPacket = null; // 尝试用当前超时解析地址 var timeoutDateTime = DateTime.Now + timeout; while (DateTime.Now < timeoutDateTime) { if (requestInterval < (DateTime.Now - lastRequestTime)) { // inject the packet to the wire _device.SendPacket(request); lastRequestTime = DateTime.Now; } //read the next packet from the network var reply = _device.GetNextPacket(); if (reply == null) { continue; } // parse the packet var packet = Packet.ParsePacket(reply.LinkLayerType, reply.Data); // is this an arp packet? arpPacket = ARPPacket.GetEncapsulated(packet); if (arpPacket == null) { continue; } //if this is the reply we're looking for, stop if (arpPacket.SenderProtocolAddress.Equals(destIP)) { break; } } // free the device _device.Close(); // the timeout happened if (DateTime.Now >= timeoutDateTime) { return(null); } else { //return the resolved MAC address return(arpPacket.SenderHardwareAddress); } }
//标记当前数据是否有效 #region 构建数据行 /// <summary> /// DataGridRow /// </summary> /// <returns>返回字符串数据</returns> public string[] Row(RawCapture rawPacket, uint packetID) { string[] rows = new string[7]; rows[0] = string.Format("{0:D7}", packetID); //编号 rows[1] = "Unknown"; rows[2] = rawPacket.Data.Length.ToString(); //数据长度bytes rows[3] = "--"; rows[4] = "--"; rows[5] = "--"; //rows[6] = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss:fff"); rows[6] = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss"); Packet packet = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data); EthernetPacket ep = EthernetPacket.GetEncapsulated(packet); if (ep != null) { rows[1] = "Ethernet(v2)"; rows[3] = Format.MacFormat(ep.SourceHwAddress.ToString()); rows[4] = Format.MacFormat(ep.DestinationHwAddress.ToString()); rows[5] = "[" + ep.Type.ToString() + "]"; #region IP IpPacket ip = IpPacket.GetEncapsulated(packet); if (ip != null) { if (ip.Version == IpVersion.IPv4) { rows[1] = "IPv4"; } else { rows[1] = "IPv6"; } rows[3] = ip.SourceAddress.ToString(); rows[4] = ip.DestinationAddress.ToString(); rows[5] = "[下层协议:" + ip.NextHeader.ToString() + "] [版本:" + ip.Version.ToString() + "]"; TcpPacket tcp = TcpPacket.GetEncapsulated(packet); if (tcp != null) { rows[1] = "TCP"; rows[3] += " [" + tcp.SourcePort.ToString() + "]"; rows[4] += " [" + tcp.DestinationPort.ToString() + "]"; #region 25:smtp协议;80, 8080, 3128: Http; 21: FTP; if (tcp.DestinationPort.ToString() == "25" || tcp.SourcePort.ToString() == "25") { rows[1] = "SMTP"; } else if (tcp.DestinationPort.ToString() == "80" || tcp.DestinationPort.ToString() == "8080" || tcp.DestinationPort.ToString() == "3128") { rows[1] = "HTTP"; } else if (tcp.DestinationPort.ToString() == "21") { rows[1] = "FTP"; } else if (tcp.DestinationPort.ToString() == "143") { rows[1] = "POP3"; } #endregion return(rows); } UdpPacket udp = UdpPacket.GetEncapsulated(packet); if (udp != null) { if (rawPacket.Data[42] == ((byte)02)) { rows[1] = "OICQ"; } else { rows[1] = "UDP"; } rows[3] += " [" + udp.SourcePort.ToString() + "]"; rows[4] += " [" + udp.DestinationPort.ToString() + "]"; return(rows); } ICMPv4Packet icmpv4 = ICMPv4Packet.GetEncapsulated(packet); if (icmpv4 != null) { rows[1] = "ICMPv4"; rows[5] = "[校验:" + icmpv4.Checksum.ToString() + "] [类型:" + icmpv4.TypeCode.ToString() + "] [序列号:" + icmpv4.Sequence.ToString() + "]"; return(rows); } ICMPv6Packet icmpv6 = ICMPv6Packet.GetEncapsulated(packet); if (icmpv6 != null) { rows[1] = "ICMPv6"; rows[5] = "[Code:" + icmpv6.Code.ToString() + "] [Type" + icmpv6.Type.ToString() + "]"; return(rows); } IGMPv2Packet igmp = IGMPv2Packet.GetEncapsulated(packet); if (igmp != null) { rows[1] = "IGMP"; rows[5] = "[只适用于IGMPv2] [组地址:" + igmp.GroupAddress.ToString() + "] [类型:" + igmp.Type.ToString() + "]"; return(rows); } return(rows); } #endregion ARPPacket arp = ARPPacket.GetEncapsulated(packet); if (arp != null) { rows[1] = "ARP"; rows[3] = Format.MacFormat(arp.SenderHardwareAddress.ToString()); rows[4] = Format.MacFormat(arp.TargetHardwareAddress.ToString()); rows[5] = "[Arp操作方式:" + arp.Operation.ToString() + "] [发送者:" + arp.SenderProtocolAddress.ToString() + "] [目标:" + arp.TargetProtocolAddress.ToString() + "]"; return(rows); } WakeOnLanPacket wp = WakeOnLanPacket.GetEncapsulated(packet); if (wp != null) { rows[1] = "Wake On Lan"; rows[3] = Format.MacFormat(ep.SourceHwAddress.ToString()); rows[4] = Format.MacFormat(wp.DestinationMAC.ToString()); rows[5] = "[唤醒网络地址:" + wp.DestinationMAC.ToString() + "] [有效性:" + wp.IsValid().ToString() + "]"; return(rows); } PPPoEPacket poe = PPPoEPacket.GetEncapsulated(packet); if (poe != null) { rows[1] = "PPPoE"; rows[5] = poe.Type.ToString() + " " + poe.Version.ToString(); return(rows); } LLDPPacket llp = LLDPPacket.GetEncapsulated(packet); if (llp != null) { rows[1] = "LLDP"; rows[5] = llp.ToString(); return(rows); } return(rows); } //链路层 PPPPacket ppp = PPPPacket.GetEncapsulated(packet); if (ppp != null) { rows[1] = "PPP"; rows[3] = "--"; rows[4] = "--"; rows[5] = "协议类型:" + ppp.Protocol.ToString(); return(rows); } //PPPSerial PppSerialPacket ppps = PppSerialPacket.GetEncapsulated(packet); if (ppps != null) { rows[1] = "PPP"; rows[3] = "--"; rows[4] = "0x" + ppps.Address.ToString("X2"); rows[5] = "地址:" + ppps.Address.ToString("X2") + " 控制:" + ppps.Control.ToString() + " 协议类型:" + ppps.Protocol.ToString(); return(rows); } //Cisco HDLC CiscoHDLCPacket hdlc = CiscoHDLCPacket.GetEncapsulated(packet); if (hdlc != null) { rows[1] = "Cisco HDLC"; rows[3] = "--"; rows[4] = "0x" + hdlc.Address.ToString("X2"); rows[5] = "地址:" + hdlc.Address.ToString("X2") + " 控制:" + hdlc.Control.ToString() + " 协议类型:" + hdlc.Protocol.ToString(); return(rows); } #region //SmtpPacket smtp = SmtpPacket. #endregion PacketDotNet.Ieee80211.MacFrame ieee = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data) as PacketDotNet.Ieee80211.MacFrame; if (ieee != null) { rows[1] = "IEEE802.11 MacFrame"; rows[3] = "--"; rows[4] = "--"; rows[5] = "帧校验序列:" + ieee.FrameCheckSequence.ToString() + " 封装帧:" + ieee.FrameControl.ToString(); return(rows); } PacketDotNet.Ieee80211.RadioPacket ieeePacket = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data) as PacketDotNet.Ieee80211.RadioPacket; if (ieeePacket != null) { rows[1] = "IEEE Radio"; rows[5] = "Version=" + ieeePacket.Version.ToString(); } LinuxSLLPacket linux = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data) as LinuxSLLPacket; if (linux != null) { rows[1] = "LinuxSLL"; rows[5] = "Tyep=" + linux.Type.ToString() + " Protocol=" + linux.EthernetProtocolType.ToString(); } return(rows); }
/// <summary> /// Receives all packets and processes them /// </summary> private static void OnPacketArrival(object sender, CaptureEventArgs e) { try { // Parse the packet var RawIp = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data); var Ip = IpPacket.GetEncapsulated(RawIp); var RawEthernet = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data); var Ethernet = EthernetPacket.GetEncapsulated(RawEthernet); string SourceIpAddress = Ip.SourceAddress.ToString(); string SourceMacAddress = BitConverter.ToString(Ethernet.SourceHwAddress.GetAddressBytes()).ToLower().Replace("-", ":"); string TargetMacAddress = BitConverter.ToString(Ethernet.DestinationHwAddress.GetAddressBytes()).ToLower().Replace("-", ":"); string TargetIpAddress = Ip.DestinationAddress.ToString(); try { CheckMacAndIp(SourceMacAddress, SourceIpAddress, "Eth"); CheckMacAndIp(TargetMacAddress, TargetIpAddress, "Eth"); } catch (Exception ex) { Console.WriteLine(ex.ToString()); } } catch (Exception) { // If the packet isn't an IP packet, move on } try { // Parse the packet var RawArpPacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data); var ArpPacket = ARPPacket.GetEncapsulated(RawArpPacket); // Source information string SourceIpAddress = ArpPacket.SenderProtocolAddress.ToString(); string SourceMacAddress = BitConverter.ToString(ArpPacket.SenderHardwareAddress.GetAddressBytes()).ToLower().Replace("-", ":"); // Target information string TargetIpAddress = ArpPacket.TargetProtocolAddress.ToString(); string TargetMacAddress = BitConverter.ToString(ArpPacket.TargetHardwareAddress.GetAddressBytes()).ToLower().Replace("-", ":"); try { CheckMacAndIp(SourceMacAddress, SourceIpAddress, "ARP"); CheckMacAndIp(TargetMacAddress, TargetIpAddress, "ARP"); } catch (Exception ex) { Console.WriteLine(ex.ToString()); } } catch (Exception) { // If the packet isn't an ARP packet, move on } // Save the log file if (LogType == FILE) { SaveLog(); } }
// packet arrival event private void device_OnPacketArrival(object sender, CaptureEventArgs e) { Packet packet; try { packet = Packet.ParsePacket(LinkLayers.Ethernet, e.Packet.Data); } catch { return; } if (packet is EthernetPacket) { var tcp = TcpPacket.GetEncapsulated(packet); var arp = ARPPacket.GetEncapsulated(packet); var ip = IpPacket.GetEncapsulated(packet); var icmpv6 = ICMPv6Packet.GetEncapsulated(packet); // ARP packet if (arp != null) { if (Scanner.Started) { lock (Scanner.PacketQueueARP) { Scanner.PacketQueueARP.Add(arp); } } } // ICMPv6 packet if (icmpv6 != null) { if (Scanner.Started) { lock (Scanner.PacketQueueNDP) { icmpv6.ParentPacket = ip; icmpv6.ParentPacket.ParentPacket = packet; Scanner.PacketQueueNDP.Add(icmpv6); } } } // TCP packet if (tcp != null) { // HTTP, FTP, IMAP, POP3, SMTP packets (client -> server) if (tcp.DestinationPort == 80 || tcp.DestinationPort == 21 || tcp.DestinationPort == 143 || tcp.DestinationPort == 110 || tcp.DestinationPort == 25) { if (Sniffer.Started) { lock (Sniffer.PacketQueue) { Sniffer.PacketQueue.Add(tcp); } } } // SSL stripping needs HTTP in & out if (tcp.DestinationPort == 80 || tcp.SourcePort == 80) { if (SSLStrip.Started) { if (!SSLStrip.ProcessPacket(packet, tcp)) { return; } } } } // IP packet if (ip != null) { // route IPv4 if (ARPTools.SpoofingStarted && ip.SourceAddress.AddressFamily == AddressFamily.InterNetwork) { lock (ARPTools.PacketQueueRouting) { ARPTools.PacketQueueRouting.Add(packet); } } // route IPv6 if (NDTools.SpoofingStarted && ip.SourceAddress.AddressFamily == AddressFamily.InterNetworkV6) { lock (NDTools.PacketQueueRouting) { NDTools.PacketQueueRouting.Add(packet); } } } } }